On Fri, 2006-05-26 at 08:58, Erik Jones wrote: > ljb wrote: > > [EMAIL PROTECTED] wrote: > > > >> ljb <[EMAIL PROTECTED]> writes: > >> > >>> | addslashes() or magic_quotes. We note that these tools have been > >>> deprecated > >>> | by the PHP group since version 4.0. > >>> > >>> Can anyone provide a source for the statement? > >>> > >> I'm not going to put words in Josh's mouth about where he got that from, > >> but anyone who reads all of the comments at > >> http://us3.php.net/manual/en/function.addslashes.php > >> ought to come away suitably unimpressed with the security of that > >> function. > >> > > > > Yes, sorry, I did see those comments, although I don't think they are from > > the PHP group themselves. But I missed the statement on the > > pg_escape_string > > manual page saying "use of this function is recommended instead of > > addslashes()". I still think "since version 4.0" is wrong. > > > Better yet, use PEAR::DB or some other db abstraction package that will > handle all of this for you.
Or, if you're going to use the native pgsql interface, you can always use prepared queries. http://www.php.net/manual/en/function.pg-prepare.php Actually, other than still not having error numbers (just the error messages, seems like "priority inversion" to me, btw) the pgsql interface in php is quite robust. You can even run async queries with it. ---------------------------(end of broadcast)--------------------------- TIP 6: explain analyze is your friend
