Skip site navigation (1) Skip section navigation (2)

Re: pg_[un]escape_bytea, pgsql 8.2.1, php 5.1.6, Linux

From: ljb <lbayuk(at)pobox(dot)com>
To: pgsql-php(at)postgresql(dot)org
Subject: Re: pg_[un]escape_bytea, pgsql 8.2.1, php 5.1.6, Linux
Date: 2007-02-06 02:20:51
Message-ID: eq8om3$4om$1@news.hub.org (view raw or flat)
Thread:
Lists: pgsql-php
vdephily(at)bluemetrix(dot)com wrote:
>...
> I think you can instead use prepared statements via SQL directly (as php 
> probably does in the end) :
>
> // initialisation
> pg_query('PREPARE mystatement (bytea) AS INSERT INTO mytable (bd) VALUES 
> ($1);');
> // insert loop
> pg_query("EXECUTE mystatement (' . pg_escape_bytea($data) . "');");
>
> Annoying to have to do all this yourself, but it should work (and it *is* a 
> parameterized query).

It's sort of a parameterized query, but not really in the sense the
original poster wants. That is, it does not protect against SQL injection
attacks the way a true parameterized query does (with the variable data
passed outside of the SQL statement itself, and not subject to SQL
parsing).  If some way around pg_escape_bytea were to be found (as perhaps
happened before with multi-byte characters and PQescapeString), the above
could be vulnerable. In fact I don't see where it is any safer than
just doing pg_query("INSERT ... '" . pg_escape_bytea($data) . "')");

In response to

pgsql-php by date

Next:From: Gary ChambersDate: 2007-02-07 14:58:34
Subject: Re: pg_[un]escape_bytea, pgsql 8.2.1, php 5.1.6, Linux
Previous:From: Tom LaneDate: 2007-02-05 21:49:10
Subject: Re: Symbol lookup error

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group