Re: SQL injection, php and queueing multiple statement

From: "Adam Rich" <adam(dot)r(at)sbcglobal(dot)net>
To: "'Ivan Sergio Borgonovo'" <mail(at)webthatworks(dot)it>, <pgsql-general(at)postgresql(dot)org>
Subject: Re: SQL injection, php and queueing multiple statement
Date: 2008-04-11 19:27:09
Message-ID: 039f01c89c0a$096fff80$1c4ffe80$@r@sbcglobal.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

> Is there a switch (php side or pg side) to avoid things like:
>
> pg_query("select id from table1 where a=$i");
>
> into becoming
>
> pg_query("select id from table1 where a=1 and 1=1; do something
> nasty; -- ");

Ideally, you'd use this:

pg_query_params('select id from table1 where a=$1', array($i));

http://us2.php.net/manual/en/function.pg-query-params.php

Alternately, you can do this:

$i = pg_escape_string($i);
pg_query(" select id from table1 where a='$i' ");

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Chris Browne 2008-04-11 20:20:23 Re: SQL injection, php and queueing multiple statement
Previous Message Ivan Sergio Borgonovo 2008-04-11 19:21:28 SQL injection, php and queueing multiple statement