| PostgreSQL Tcl Interface Documentation | ||||
|---|---|---|---|---|
| Prev | Fast Backward | Fast Forward | Next | |
pg_escape_string quotes a string and escapes single quotes and backslashes within the string, making it safe for inclusion into SQL statements.
If you're doing something like
pg_exec $conn "insert into foo values ('$name');"
and name contains text includeng an unescaped single quote, such as Bob's House, at best the insert will fail, and at worst your software will be exploited via an SQL injection attack. Passing value strings through pg_escape_string will properly quote them for insertion into SQL commands.
pg_exec $conn "insert into foo values ([pg_escape_string $name]);"
...will make sure that any special characters that occur in name, such as single quote or backslash, will be properly quoted.
Returns the string, escaped for inclusion into SQL queries. Note that it adds a set of single quotes around the outside of the string as well.
In most cases, with recent versions of SQL, it is better to use the native parameter insertion capabilities of the SQL server and protocol. If you are using a version of PostgreSQL more recent then 7.4, consider the optional parameter arguments to pg_exec and pg_sendquery, and the paramarray option to pg_exec, pg_sendquery, and pg_select.