| From: | Bruno Wolff III <bruno(at)wolff(dot)to> |
|---|---|
| To: | operationsengineer1(at)yahoo(dot)com |
| Cc: | Ed Finkler <coj(at)cerias(dot)purdue(dot)edu>, Volkan YAZICI <volkan(dot)yazici(at)gmail(dot)com>, pgsql-php(at)postgresql(dot)org |
| Subject: | Re: Effectiveness of pg_escape_string at blocking SQL injection |
| Date: | 2005-05-27 18:13:41 |
| Message-ID: | 20050527181341.GA9856@wolff.to |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-php |
On Fri, May 27, 2005 at 10:25:52 -0700,
operationsengineer1(at)yahoo(dot)com wrote:
>
> bruno and all... what are bind parameters? how can i
> avoid building sql from user input when my sql depends
> on user input?
You leave place holders in the SQL string to be replaced by parameters
passed separately. You don't need to do any escaping of the parameters
when passed this way.
Here is a snipet of perl code that does this:
$rows = $dbh->do(<<'EOF',
INSERT INTO detail (day, amount, comment, category, cat_type)
SELECT ?, ?, ?, id, cat_type FROM category WHERE id = ?
EOF
{}, param('day'), param('amount'), param('comment'), param('category'));
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrew McMillan | 2005-05-28 05:01:20 | Re: Effectiveness of pg_escape_string at blocking SQL |
| Previous Message | operationsengineer1 | 2005-05-27 17:25:52 | Re: Effectiveness of pg_escape_string at blocking SQL injection |