Skip site navigation (1) Skip section navigation (2)

Re: pg_[un]escape_bytea, pgsql 8.2.1, php 5.1.6, Linux

From: "Gary Chambers" <gwchamb(at)gmail(dot)com>
To: ljb <lbayuk(at)pobox(dot)com>
Cc: pgsql-php(at)postgresql(dot)org
Subject: Re: pg_[un]escape_bytea, pgsql 8.2.1, php 5.1.6, Linux
Date: 2007-02-03 04:09:08
Message-ID: 302670f20702022009x417a210fm5e0fa36d860a225@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-php
Thanks for the reply!

> pg_query_params() should have been made binary-safe, but it isn't. It only
> accepts and passes 'text' mode arguments to PostgreSQL.  So you cannot put
> raw bytea data into a query parameter.

Hmmm...  Disappointing.  Will pg_query_params ever become binary safe?
 I'm evaluating Postgres as an alternative to Oracle, so that's where
the majority of my experience lies.

> you need for a non-parameterized query, like "INSERT INTO mytable (bd)
> VALUES ('$data')" where bd is a bytea column, and $data went through
> pg_escape_bytea().

Understood.  I do not like for several reasons that method of
inserting data.  It exposes me to SQL injection attacks, it's very
inefficient (in Oracle, anyway -- perhaps you can correct me where
Postgres is concerned), it seems uncharacteristic of a database with
the qualities of Postgres, I can't have all my queries in a single
source file, and I can't take advantage of the ease with which I can
handle binary data with a bytea field.

> To me, this means that you should probably do non-parameterized queries
> instead, with pg_query() and pg_escape_bytea(), with your bytea data.

Would there be any advantage to simply using a text field and base64
encoding and decoding the binary data?  I really don't want to use
non-parameterized queries.

-- Gary Chambers

// Nothing fancy and nothing Microsoft!

In response to

Responses

pgsql-php by date

Next:From: Karthikeyan SundaramDate: 2007-02-04 21:34:41
Subject: Re: [SQL] Question regarding multibyte.
Previous:From: ljbDate: 2007-02-03 02:50:48
Subject: Re: pg_[un]escape_bytea, pgsql 8.2.1, php 5.1.6, Linux

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group