[PHP-DOC] security.database.storage example is using addslashes() rather then pg_escape_string()

Hannes Magnusson Wed, 12 Apr 2006 07:47:46 -0700

Hi
>From the pg_escape_string() manual page: "pg_escape_string() escapes a
string for insertion into the database. It returns an escaped string
in the PostgreSQL format. Use of this function is recommended instead
of addslashes()."
And we are using addslashes() on
http://www.php.net/manual/en/security.database.storage.php ? :)


-Hannes

cvs diff: Diffing .
Index: database.xml
===================================================================
RCS file: /repository/phpdoc/en/security/database.xml,v
retrieving revision 1.11
diff -u -r1.11 database.xml
--- database.xml        14 Feb 2005 14:09:59 -0000      1.11
+++ database.xml        12 Apr 2006 14:42:50 -0000
@@ -121,12 +121,12 @@

 // storing password hash
 $query  = sprintf("INSERT INTO users(name,pwd) VALUES('%s','%s');",
-            addslashes($username), md5($password));
+            pg_escape_string($username), md5($password));
 $result = pg_query($connection, $query);

 // querying if user submitted the right password
 $query = sprintf("SELECT 1 FROM users WHERE name='%s' AND pwd='%s';",
-            addslashes($username), md5($password));
+            pg_escape_string($username), md5($password));
 $result = pg_query($connection, $query);

 if (pg_num_rows($result) > 0) {

[PHP-DOC] security.database.storage example is using addslashes() rather then pg_escape_string()

Reply via email to