From: | Vincent de Phily <vdephily(at)bluemetrix(dot)com> |
---|---|
To: | pgsql-php(at)postgresql(dot)org |
Subject: | Re: pg_[un]escape_bytea, pgsql 8.2.1, php 5.1.6, Linux |
Date: | 2007-02-05 11:01:40 |
Message-ID: | 200702051101.40315.vdephily@bluemetrix.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-php |
On Saturday 03 February 2007, Gary Chambers wrote:
> > you need for a non-parameterized query, like "INSERT INTO mytable (bd)
> > VALUES ('$data')" where bd is a bytea column, and $data went through
> > pg_escape_bytea().
>
> Understood. I do not like for several reasons that method of
> inserting data. It exposes me to SQL injection attacks, it's very
> inefficient (in Oracle, anyway -- perhaps you can correct me where
> Postgres is concerned), it seems uncharacteristic of a database with
> the qualities of Postgres, I can't have all my queries in a single
> source file, and I can't take advantage of the ease with which I can
> handle binary data with a bytea field.
This would be a problem related to php, not postgres. I'm handling binary data
in parameterized and COPY queries just fine with c++.
> > To me, this means that you should probably do non-parameterized queries
> > instead, with pg_query() and pg_escape_bytea(), with your bytea data.
>
> Would there be any advantage to simply using a text field and base64
> encoding and decoding the binary data? I really don't want to use
> non-parameterized queries.
base64 would solve your binary problem, but it is costly (disk space and cpu).
I think you can instead use prepared statements via SQL directly (as php
probably does in the end) :
// initialisation
pg_query('PREPARE mystatement (bytea) AS INSERT INTO mytable (bd) VALUES
($1);');
// insert loop
pg_query("EXECUTE mystatement (' . pg_escape_bytea($data) . "');");
Annoying to have to do all this yourself, but it should work (and it *is* a
parameterized query).
BTW, if you're doing bulk inserts, consider pg_copy_from() instead.
--
Vincent de Phily
From | Date | Subject | |
---|---|---|---|
Next Message | Karthikeyan Sundaram | 2007-02-05 21:37:40 | Symbol lookup error |
Previous Message | Ivo Rossacher | 2007-02-04 23:26:42 | Re: [SQL] Question regarding multibyte. |