pg_escape_string()
The pg_escape_string() function is a part of the PostgreSQL (PgSQL) extension in PHP. It is used to escape string literals for safe use in SQL queries when working with PostgreSQL databases. The primary purpose of this function is to prevent SQL injection, a common web security vulnerability that allows attackers to interfere with the queries that an application makes to its database.
It escapes special characters in a string for use in an SQL query. Escaping a string involves prefixing certain characters with a backslash (). These characters typically include single quotes ('), double quotes ("), and others that might otherwise be interpreted in a harmful way by the SQL parser.
The function can be used in two ways:
- As
pg_escape_string(string $data)
, which escapes a string for safe use in an SQL query. - As
pg_escape_string(resource $connection, string $data)
, which takes an additional argument – a connection resource to the PostgreSQL database. This is useful when multiple connections are present, and you need to specify which connection's encoding should be considered while escaping the string.
An example usage may be:
$dbconn = pg_connect("host=localhost dbname=mydb user=myuser password=mypass")
or die('Could not connect: ' . pg_last_error());
// Unsafe data
$data = "O'Reilly";
// Escaping string
$escapedData = pg_escape_string($dbconn, $data);
// Safe SQL query
$query = "SELECT * FROM authors WHERE name = '$escapedData'";
$result = pg_query($query) or die('Query failed: ' . pg_last_error());