Using the pg_escape_literal PHP function, I’m escaping my user input data as follows: <?php

Question

0

Asked: June 13, 20262026-06-13T20:52:36+00:00 2026-06-13T20:52:36+00:00

Using the pg_escape_literal PHP function, I’m escaping my user input data as follows: <?php

0

Using the pg_escape_literal PHP function, I’m escaping my user input data as follows:

  <?php
  $dbconn = pg_connect('dbname=foo');
  $escaped = pg_escape_literal($_GET['name']);
  pg_query("INSERT INTO participants (name) VALUES ({$escaped})");
  ?>

Being new to PostgreSQL, my questions are:

Is there a way to achieve an SQL injection given this code?
Is there any other vulnerability that is left untreated in this code?

Using PHP 5.4 and PostgreSQL 9.2.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-13T20:52:38+00:00

Editorial Team

2026-06-13T20:52:38+00:00Added an answer on June 13, 2026 at 8:52 pm

Since you do not trust any user input and you escape it accordingly, there is no injection in there.
Furthermore, you can use prepared statements to ensure you don’t forget any escape, and you take correct data types for the sentence.

Remember that if you forget only 1 escape, your whole system is compromised despite it may be escaped all the rest.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Using the pg_escape_literal PHP function, I’m escaping my user input data as follows: <?php

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply