Skip site navigation (1) Skip section navigation (2)

Re: Select Where using character varying ??

From: Mariusz Pękala <skoot(at)qi(dot)pl>
To: pgsql-php(at)postgresql(dot)org
Subject: Re: Select Where using character varying ??
Date: 2006-10-03 20:03:53
Message-ID: 20061003200353.GA8719@cthulhu.sdi.tpnet.pl (view raw or flat)
Thread:
Lists: pgsql-php
> I think you should try:
> $Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name 
> =\"$Sem\"");

Double quotes are for quoting column names, not string constants.

> $Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name 
> ='$Sem'");

Better, but all strings, especially provided by some user, should be
treated by the function pg_escape_string.

Consider that some user types in a form field a text like this:

'; delete from seminar where ''='

When you add single quotes you get two valid queries. One of them is
what you would never want to be executed ;-)

And, by the way - pg_exec is a deprecated name AFAIK. The new one is
pg_query.


-- 
Ceterum censeo Internet Explorer esse delendam.

In response to

Responses

pgsql-php by date

Next:From: Robert TreatDate: 2006-10-04 00:48:08
Subject: Re: Select Where using character varying ??
Previous:From: DCarreroDate: 2006-10-03 12:57:19
Subject: Re: Select Where using character varying ??

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group