hi, Postgresql team has released the new .4 version as security fix. http://www.postgresql.org/docs/techdocs.52 This is related to addslash and Unicode like charmaps. <quote> A few weeks ago, members of our Japanese developer community contacted us with news of a SQL injection exploit for PostgreSQL with PHP in Far Eastern character encodings such as SJIS. It seemed that a clever attacker could exploit knowledge of how multi-byte encodings and string escaping work inside PostgreSQL in order to sneak injected SQL strings past all commonly used client-side safeguards. Subsequent investigation showed that related attacks would work in all multi-byte encodings, in particular UTF8 which is widely used world-wide. </quote> This is probably true for other SQL backends as well. Now, they turned off the backslash escaping with some charmaps : <quote> When the client is using a "client only" encoding (SJIS, BIG5, GBK, GB18030, or UHC) the server furthermore rejects uses of "\'" to represent a single quote mark in a SQL string literal. This historical usage has been deprecated for some time in favor of the SQL-standard representation "''" (two single quote marks) </quote> Also, the use of parameterized prepared statements is the best practice to avoid SQL injection, because all the tests and formating checks from standard Psql libs are processed. <quote> Use parameterized prepared statements to execute queries (e.g. "SELECT * FROM table WHERE id = ?") </quote> Now, that said, I wish to know if OTRS is ready to work with thoses changes. Regards -- Alexandre