| From: | PFC <lists(at)peufeu(dot)com> |
|---|---|
| To: | josh(at)agliodbs(dot)com, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Protection from SQL injection |
| Date: | 2008-04-29 19:06:18 |
| Message-ID: | op.uadzcsamcigqcu@apollo13.peufeu.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> For example, some applications need to replace whole phrases:
>
> $criteria = "WHERE $var1 = '$var2'"
>
> This is a very common approach for dynamic search screens, and really not
> covered by placeholder approaches.
Python, again :
params = {
'column1': 10,
'column2': "a st'ring",
}
where = " AND ".join( "%s=%%s" % (key,value) for key,value in
params.items() )
cursor.execute( "SELECT * FROM table WHERE " + where, params )
I use the same approach (albeit more complicated) in PHP.
For complex expressions you can play with arrays etc, it is not that
difficult.
Or you just do :
$criteria = db_quote_query( "WHERE $var1 = %s", array( $var2 ))
using the function I posted earlier.
This supposes of course that $var1 which is the column name, comes from a
known source, and not user input.
In that case, $var1 will probably be the form field name, which means it
is specified by the programmer a few lines prior in the code.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Thomas Mueller | 2008-04-29 19:29:41 | Re: Protection from SQL injection |
| Previous Message | Josh Berkus | 2008-04-29 18:39:09 | Re: Protection from SQL injection |