Skip site navigation (1) Skip section navigation (2)

Re: newbie issues with PDO / stored procedures

From: Andrew McMillan <andrew(at)catalyst(dot)net(dot)nz>
To: pg 043g9j2g <pg043g9j2g(at)gmail(dot)com>
Cc: pgsql-php(at)postgresql(dot)org
Subject: Re: newbie issues with PDO / stored procedures
Date: 2008-06-26 11:54:13
Message-ID: 1214481253.8013.22.camel@hippy.mcmillan.net.nz (view raw or flat)
Thread:
Lists: pgsql-php
On Tue, 2008-06-24 at 19:44 -0400, pg 043g9j2g wrote:

> >   
> It helped a lot! Thank you!
> 
> Now I am using DSQL in my application in a form like 'SELECT * FROM 
> my_usp(:param);' and using PDO's bindParam() function to pass in params.
> 
> So I think I am still achieving the intended security of using SPs 
> against SQL injection by not directly inserting request args in my SQL, 
> as well as being able to pass in params without explicitly creating a 
> VIEW first.

If your reasons for doing all this obfuscation are simply to avoid SQL
injection issues, then it seems to me that you are putting your efforts
into the wrong place.

PDO's bindParam() function is *already* achieving your goal.  Or PDO is,
when used correctly, even without binding parameters to names.

By jumping through these sorts of hoops you are making your code
significantly less maintainable (code needs to be maintained in two
different languages in two different places), and less efficient (the
database cannot plan as effectively), and more fragile (the separate
code bases may get out of sync, introducing a whole new set of
possibilities for error)....  and I could go on more too :-)



> I have accomplished this by defining a VIEW for my desired output schema 
> first and having the function return that type, but, is there any simple 
> "generic" type I can use as a return type to avoid having to do so? 
> Right now I am working in a RAD/prototyping mode and it slows me down a 
> bit to have to formalize everything in that way.

If you want to enforce read-only, (on top of the SQL injection avoidance
which PDO bought you already) then a view is a good way.  By default all
views in PostgreSQL are read-only, though they can be made writable with
a little extra effort.

Regards,
					Andrew McMillan.


-------------------------------------------------------------------------
Andrew @ Catalyst .Net .NZ  Ltd,  PO Box 11-053, Manners St,  Wellington
WEB: http://catalyst.net.nz/            PHYS: Level 6, 150-154 Willis St
DDI: +64(4)803-2201      MOB: +64(272)DEBIAN      OFFICE: +64(4)499-2267
  Don't tell any big lies today.  Small ones can be just as effective.
-------------------------------------------------------------------------



In response to

pgsql-php by date

Next:From: PJDate: 2008-07-30 16:18:28
Subject: display query results
Previous:From: Chandra ASGI TechDate: 2008-06-25 15:54:56
Subject: Re: Can't connect to postgresql using php

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group