| From: | Bruno Wolff III <bruno(at)wolff(dot)to> |
|---|---|
| To: | operationsengineer1(at)yahoo(dot)com |
| Cc: | pgsql-novice(at)postgresql(dot)org |
| Subject: | Re: SQL safe input? |
| Date: | 2005-08-27 03:33:48 |
| Message-ID: | 20050827033348.GA12398@wolff.to |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-novice |
On Fri, Aug 26, 2005 at 15:40:02 -0700,
operationsengineer1(at)yahoo(dot)com wrote:
> > IMO the best way to do this is to use bind
> > parameters to pass user input
> > to queries. Then you don't need to escape anything.
> > You might still check
> > for very long strings.
>
> this got me thinking... is this what you are talking
> about (i use ADOdb)?
>
> $db->Execute("INSERT INTO t_customer (customer_name,
> customer_entry_date) VALUES (?,?)",
> array($customer_name, $db->DBDate(time())));
>
> $customer_name is the validated input from the user
> with no escaping of any kind. is this ok?
>
> this query works just dandy. does it mean i can start
> sleeping at night? -lol-
Yes this is the idea. Bad data for the values can't execute unexpected SQL
commands; it can only cause the query to fail.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Fuhr | 2005-08-27 05:19:06 | Re: LOG entries: "could not receive data from client" ? |
| Previous Message | Bruno Wolff III | 2005-08-27 03:32:03 | Re: SQL safe input? |