ADOdb

I'm interested in adopting ADOdb (actually ADOdb Lite) and have a
simple question that I haven't been able to quite pinpoint an answer
to.

I'm used to using the native mysql functions with
mysql_escape_string(). With ADOdb, is this handled transparently with
the execute method or should I take my own steps to sanitize input
data?

Also, one of the reasons I'm looking at ADOdb is I'd like to start to
explore postgreSQL. Are the security considerations with postgre
similar to mysql?

If you can point me in the right direction, I'll appreciate it.

Thanks,
Tom

> Also, one of the reasons I'm looking at ADOdb is I'd like to start to
> explore postgreSQL. Are the security considerations with postgre
> similar to mysql?

Yes. Pretty much. The permissions system is not the same, iirc.

Tom wrote:
> I'm interested in adopting ADOdb (actually ADOdb Lite) and have a
> simple question that I haven't been able to quite pinpoint an answer
> to.
>
> I'm used to using the native mysql functions with
> mysql_escape_string(). With ADOdb, is this handled transparently with
> the execute method or should I take my own steps to sanitize input
> data?
>

When using adodb you should escape strings using the $db->qstr() method,
this will escape the string properly for the database type you use.

Data returned will be returned 'sanely', i.e. if slashes where added for
insertion into the database, they will be removed automagically.

Have a look at the adodb documentation, it's pretty detailed and
explains all this.

Grz, Jrf

Thank you for the responses. This helped.

In the event anyone else comes across this with the same question,
here's the ADOdb documentation:

http://phplens.com/lens/adodb/docs-adodb.htm

And on inserting:

http://phplens.com/lens/adodb/docs-adodb.htm#ex3

I also found the Wikipedia article on SQL injection useful (it mentions
ADOdb specifically):

http://en.wikipedia.org/wiki/SQL_injection#Remediation

Tom