Thread

  1. Re: Escaping metacharacters

    Oliver Elphick <olly@lfix.co.uk> — 2004-07-18T22:09:10Z

    On Thu, 2004-07-15 at 23:02, DarkSamurai wrote:
    > Hi,
    > 
    > To prevent SQL injections, I try to neutralize SQL metacharacters.
    > 
    > ex:
    > 
    > Code:
    > 
    > 
    > > function SQLString($s) {
    > >     $s = str_replace("'", "\\s", $s)'
    > >     $s = str_replace("\\", "\\\\", $s);
    > >     return "'" . $s . "'";
    
    Have you looked at the function PQescapeString() in the libpq library? 
    Using that would seem to be a simpler way of solving this problem.
    
    Libraries such as Perl DBI have similar functions built in.
    
    -- 
    Oliver Elphick                                          olly@lfix.co.uk
    Isle of Wight                              http://www.lfix.co.uk/oliver
    GPG: 1024D/A54310EA  92C8 39E7 280E 3631 3F0E  1EC0 5664 7A2F A543 10EA
                     ========================================
         "For God so loved the world, that he gave his only 
          begotten Son, that whosoever believeth in him should 
          not perish, but have everlasting life."     John 3:16