Re: newbie issues with PDO / stored procedures

From: Andrew McMillan <andrew(at)catalyst(dot)net(dot)nz>
To: pg 043g9j2g <pg043g9j2g(at)gmail(dot)com>
Cc: pgsql-php(at)postgresql(dot)org
Subject: Re: newbie issues with PDO / stored procedures
Date: 2008-06-26 11:54:13
Message-ID: 1214481253.8013.22.camel@hippy.mcmillan.net.nz
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-php

On Tue, 2008-06-24 at 19:44 -0400, pg 043g9j2g wrote:

> >
> It helped a lot! Thank you!
>
> Now I am using DSQL in my application in a form like 'SELECT * FROM
> my_usp(:param);' and using PDO's bindParam() function to pass in params.
>
> So I think I am still achieving the intended security of using SPs
> against SQL injection by not directly inserting request args in my SQL,
> as well as being able to pass in params without explicitly creating a
> VIEW first.

If your reasons for doing all this obfuscation are simply to avoid SQL
injection issues, then it seems to me that you are putting your efforts
into the wrong place.

PDO's bindParam() function is *already* achieving your goal. Or PDO is,
when used correctly, even without binding parameters to names.

By jumping through these sorts of hoops you are making your code
significantly less maintainable (code needs to be maintained in two
different languages in two different places), and less efficient (the
database cannot plan as effectively), and more fragile (the separate
code bases may get out of sync, introducing a whole new set of
possibilities for error).... and I could go on more too :-)

> I have accomplished this by defining a VIEW for my desired output schema
> first and having the function return that type, but, is there any simple
> "generic" type I can use as a return type to avoid having to do so?
> Right now I am working in a RAD/prototyping mode and it slows me down a
> bit to have to formalize everything in that way.

If you want to enforce read-only, (on top of the SQL injection avoidance
which PDO bought you already) then a view is a good way. By default all
views in PostgreSQL are read-only, though they can be made writable with
a little extra effort.

Regards,
Andrew McMillan.

-------------------------------------------------------------------------
Andrew @ Catalyst .Net .NZ Ltd, PO Box 11-053, Manners St, Wellington
WEB: http://catalyst.net.nz/ PHYS: Level 6, 150-154 Willis St
DDI: +64(4)803-2201 MOB: +64(272)DEBIAN OFFICE: +64(4)499-2267
Don't tell any big lies today. Small ones can be just as effective.
-------------------------------------------------------------------------

In response to

Browse pgsql-php by date

  From Date Subject
Next Message PJ 2008-07-30 16:18:28 display query results
Previous Message Chandra ASGI Tech 2008-06-25 15:54:56 Re: Can't connect to postgresql using php