pg_escape_string − escapes a string for inclusion into SQL statements. This is the same as pg_quote. It was added for consistency.
pg_escape_string string
pg_escape_string quotes a string and escapes single quotes and backslashes within the string, making it safe for inclusion into SQL statements.
If you’re doing something like
pg_exec $conn
"insert into foo values (’$name’);"
and name contains text includeng an unescaped single quote,
such as Bob’s House, at best the insert will fail, and
at worst your software will be exploited via an SQL
injection attack. Passing value strings through
pg_escape_string will properly quote them for
insertion into SQL commands.
pg_exec $conn
"insert into foo values ([pg_escape_string
$name]);"
...will make sure that any special characters that occur in
name, such as single quote or backslash, will be properly
quoted.
string |
The string to be escaped. |
Returns the string, escaped for inclusion into SQL queries. Note that it adds a set of single quotes around the outside of the string as well.
In most cases, with recent versions of SQL, it is better to use the native parameter insertion capabilities of the SQL server and protocol. If you are using a version of PostgreSQL more recent then 7.4, consider the optional parameter arguments to pg_exec and pg_sendquery, and the paramarray option to pg_exec, pg_sendquery, and pg_select.