| From: | Greg Stark <gsstark(at)mit(dot)edu> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Escaping metacharacters |
| Date: | 2004-07-19 02:44:36 |
| Message-ID: | 87y8lgsokr.fsf@stark.xeocode.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
DarkSamurai <julio(at)invlaid(dot)linux(dot)net> writes:
> And suppose I use this :
>
> > $cat = $GET["category"];
> > $query = " SELECT Id, Title, Abstract FROM News " . "Where Category=" . $cat;
From a security point of view you're even better off using something like
$dbh->query("SELECT id, title, abstract FROM news WHERE category = ?", $cat);
Or whatever the equivalent syntax is in your driver. Avoiding mixing
user-provided data with the code entirely. The driver may still have to do the
mixing but it's probably better at it than you are. And in newer versions of
Postgres it doesn't even have to do it at all, and can ship the data to the
server separately.
--
greg
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2004-07-19 03:03:01 | Re: [HACKERS] Point in Time Recovery |
| Previous Message | Andrew Dunstan | 2004-07-19 01:56:10 | Re: Toward better documentation |