[pg-devel] Escaping SQL.

Erik Enge erik.enge at gmail.com
Tue Sep 12 06:44:11 UTC 2006


Hi,

I want to make sure I escape all user input to avoid SQL injection
attacks.  It is my understanding that by using PG-BIND Postgres would
do this on my behalf, however I do not currently use PG-BIND and I
think I would like to avoid it so I don't have to specify the types of
my parameters everywhere.

I can't find any SQL escape function in the pg source code nor can I
really find any mention of anyone needing such a function.  Does this
mean that most are using PG-BIND, are rolling their own, or that I
have missed something really obvious?

I wrote a small library which interfaces with libpq's PQescapeString()
function and does all the proper escaping for me.  I guess I'm asking
if you want that as a patch (perhaps not, since it requires the .so)
or would there be interest in my sharing this as a separate library?

I create a new PG connection for every thread so using
PQescapeString() works safely however I'm willing to go the extra step
and add PQescapeStringConn() if that's interesting to anyone.

Thanks,
Erik.



More information about the pg-devel mailing list