On Thu, 2004-07-15 at 23:02, DarkSamurai wrote: > Hi, > > To prevent SQL injections, I try to neutralize SQL metacharacters. > > ex: > > Code: > > > > function SQLString($s) { > > $s = str_replace("'", "\\s", $s)' > > $s = str_replace("\\", "\\\\", $s); > > return "'" . $s . "'";
Have you looked at the function PQescapeString() in the libpq library? Using that would seem to be a simpler way of solving this problem. Libraries such as Perl DBI have similar functions built in. -- Oliver Elphick [EMAIL PROTECTED] Isle of Wight http://www.lfix.co.uk/oliver GPG: 1024D/A54310EA 92C8 39E7 280E 3631 3F0E 1EC0 5664 7A2F A543 10EA ======================================== "For God so loved the world, that he gave his only begotten Son, that whosoever believeth in him should not perish, but have everlasting life." John 3:16 ---------------------------(end of broadcast)--------------------------- TIP 6: Have you searched our list archives? http://archives.postgresql.org