Skip site navigation (1) Skip section navigation (2)

Re: Protection from SQL injection

From: "Brendan Jurd" <direvus(at)gmail(dot)com>
To: PFC <lists(at)peufeu(dot)com>
Cc: "Thomas Mueller" <thomas(dot)tom(dot)mueller(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Protection from SQL injection
Date: 2008-04-28 23:03:33
Message-ID: 37ed240d0804281603g145435b7yc55e835233634627@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-hackers
On Tue, Apr 29, 2008 at 7:00 AM, PFC <lists(at)peufeu(dot)com> wrote:
>  I have found that the little bit of code posted afterwards did eliminate
> SQL holes in my PHP applications with zero developer pain, actually it is
> MORE convenient to use than randomly pasting strings into queries.
>
>  You just call
>  db_query( "SELECT * FROM table WHERE column1=%s AND column2=%s", array(
> $var1, $var2 ));
>

Implementing this for yourself is crazy; PHP's Postgres extension
already does this for you since 5.1.0:

$result = pg_query_params("SELECT foo FROM bar WHERE baz = $1", array($baz));

http://www.php.net/manual/en/function.pg-query-params.php

Cheers,
BJ

In response to

Responses

pgsql-hackers by date

Next:From: Sam MasonDate: 2008-04-28 23:15:44
Subject: Re: Protection from SQL injection
Previous:From: Tom LaneDate: 2008-04-28 21:41:51
Subject: Re: WANTED: VACUUM SUMMARY

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group