| From: | ljb <ljb1813(at)pobox(dot)com> |
|---|---|
| To: | pgsql-php(at)postgresql(dot)org |
| Subject: | Re: pg_query_params and SQL injection |
| Date: | 2008-09-02 00:16:39 |
| Message-ID: | g9i0l7$253u$1@news.hub.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-php |
tearinghairout(at)yahoo(dot)com wrote:
> Hi all
> I am just doing some playing around with PHP to learn how to avoid SQL injection attacks.
> It has been mentioned in a few places that pg_query_params is supposed to protect from sql injection without needing to mess around escaping quotes and things.
>
> However, I was still able to get it to drop a table by feeding in this input "1; drop table results" to the following statement:
> $r = pg_query_params($p, 'select * from results where res_id = $1', array($input));
>
> Everyone keeps repeating the same "pg_query_params is safe from SQL injection", but surely someone else must have actually tried it? Where am I going wrong?
>
> I am using Postgresql 8.3 for OS X on 10.5.2, and MAMP which has PHP Version 5.2.5.
I can't duplicate it and don't think it is possible. I get this error:
PHP Warning: pg_query_params()
Query failed: ERROR: invalid input syntax for integer: "1; drop table results"
Take another look or post more of the code you tried.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Rico Secada | 2008-09-25 19:19:38 | Can't get PHP PDO LOB working with PostgreSQL |
| Previous Message | Kevin Golding | 2008-09-01 13:50:16 | pg_query_params and SQL injection |