RebeccaJ wrote:
Thanks, everyone, for your contribution to this thread. I'm
approaching the database design of my web application differently,
now. Before, I was planning to have CHECK constraints in all of my
text or char fields, to keep out all semicolons, single quotes, and
anything else that looked dangerous. Now I'm thinking that I'll be
using htmlentities(), pg_escape_string() and pg_query_params() as
safety filters, and otherwise allowing users to store whatever they
want to, in the fields where I store/retrieve user input.
Note that htmlentities() expects LATIN1-encoded strings and is thus
unusable on UTF-8 contents.
So if you end up talking UTF-8 with the database, you'll probably need
to use htmlspecialchars() instead, and UTF-8 as your HTML charset.
Best regards,
--
Daniel
PostgreSQL-powered mail user agent and storage:
http://www.manitou-mail.org
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
