Re: [GENERAL] text column constraint, newbie question
On Mar 22, 12:36 pm, scott.marl...@gmail.com (Scott Marlowe) wrote: ayup. As long as they're legal for your encoding, they'll go right in. If you wanna stuff in anything no matter the encoding, use a database initialized for SQL_ASCII encoding. Thanks, everyone, for your contribution to this thread. I'm approaching the database design of my web application differently, now. Before, I was planning to have CHECK constraints in all of my text or char fields, to keep out all semicolons, single quotes, and anything else that looked dangerous. Now I'm thinking that I'll be using htmlentities(), pg_escape_string() and pg_query_params() as safety filters, and otherwise allowing users to store whatever they want to, in the fields where I store/retrieve user input. Scott, your comment above introduced some new concepts to me, and now I'm thinking about foreign language text and other ways to be more flexible. I found this page that talks about encoding: http://www.postgresql.org/docs/8.3/static/multibyte.html And I wonder why you like SQL_ASCII better than UTF8, and whether others have any opinions about those two. (My web server's LC_CTYPE is C, so I can use any character set.) Wouldn't UTF8 allow more characters than SQL_ASCII? Thanks again! -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
[GENERAL] text column constraint, newbie question
Hi, I'm new to both PostgreSQL and web-based application development; I read the FAQ at postgresql.org (perhaps this discussion group has another FAQ that I haven't found yet?) and didn't see this addressed. I'm creating a table with a column of type text, to be used in a php web application, where I'll be accepting user input for that text field. Are there characters, maybe non-printing characters, or perhaps even whole phrases, that could cause problems in my database or application if I were to allow users to enter them into that column? If so, does anyone happen to have a regular expression handy that you think is a good choice for text columns' CHECK constraint? Or maybe a link to a discussion of this topic? Thanks! -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] text column constraint, newbie question
Are there characters, maybe non-printing characters, or perhaps even whole phrases, that could cause problems in my database or application if I were to allow users to enter them into that column? If so, does anyone happen to have a regular expression handy that you think is a good choice for text columns' CHECK constraint? Or maybe a link to a discussion of this topic? Nope, there's nothing you can put into a text to break pgsql. However, if you are using regular old queries, you'd be advised to use pg_escape_string() function in php to prevent SQL injection attacks. Thanks! I'll check out pg_escape_string() in php, and I see that PostgreSQL also has something called PQescapeStringConn... I wonder if I should use both... Also, I should have asked: what about char and varchar fields? Can those also handle any characters, as long as I consider SQL injection attacks? -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general