"Web applications sanitize the apostrophe (') character in strings coming from user input being passed to SQL statements using an escape (\) character."
Please, please don't say this. In the SQL standard, backslash is NOT the escape character for a string literal.
PostgreSQL, starting in v8.2, began transitioning from C-style escapes (using backslash) to SQL standard escapes (where a single quote is escaped with another single quote). Standard behavior is the default, but can be controlled with the variable standard_conforming_strings.
But you shouldn't have to know that anyway. Use out-of-band parameters that are passed in the wire protocol separately from the string. Web frameworks should already ensure this, and if they don't, they are likely broken.
If you are writing a web framework and you need to use escaping for some reason: first, make sure you can't use parameters on the wire instead; then read the product-specific literal parsing rules very carefully, considering things like multibyte characters.
Please, please don't say this. In the SQL standard, backslash is NOT the escape character for a string literal.
PostgreSQL, starting in v8.2, began transitioning from C-style escapes (using backslash) to SQL standard escapes (where a single quote is escaped with another single quote). Standard behavior is the default, but can be controlled with the variable standard_conforming_strings.
But you shouldn't have to know that anyway. Use out-of-band parameters that are passed in the wire protocol separately from the string. Web frameworks should already ensure this, and if they don't, they are likely broken.
If you are writing a web framework and you need to use escaping for some reason: first, make sure you can't use parameters on the wire instead; then read the product-specific literal parsing rules very carefully, considering things like multibyte characters.