Skip site navigation (1) Skip section navigation (2)

pg_query_params and SQL injection

From: Kevin Golding <tearinghairout(at)yahoo(dot)com>
To: pgsql-php(at)postgresql(dot)org
Subject: pg_query_params and SQL injection
Date: 2008-09-01 13:50:16
Message-ID: 723113.98907.qm@web52404.mail.re2.yahoo.com (view raw or flat)
Thread:
Lists: pgsql-php
Hi all
I am just doing some playing around with PHP to learn how to avoid SQL injection attacks.
It has been mentioned in a few places that pg_query_params is supposed to protect from sql injection without needing to mess around escaping quotes and things.

However, I was still able to get it to drop a table by feeding in this input "1; drop table results" to the following statement:
$r = pg_query_params($p, 'select * from results where res_id = $1', array($input));

Everyone keeps repeating the same "pg_query_params is safe from SQL injection", but surely someone else must have actually tried it? Where am I going wrong?

I am using Postgresql 8.3 for OS X on 10.5.2, and MAMP which has PHP Version 5.2.5. 

Thanks
Kevin


      

Responses

pgsql-php by date

Next:From: ljbDate: 2008-09-02 00:16:39
Subject: Re: pg_query_params and SQL injection
Previous:From: David CalleDate: 2008-08-07 17:16:12
Subject: Procedimientos con parametros

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group