From: | Bruno Wolff III <bruno(at)wolff(dot)to> |
---|---|
To: | operationsengineer1(at)yahoo(dot)com |
Cc: | pgsql-novice(at)postgresql(dot)org |
Subject: | Re: SQL safe input? |
Date: | 2005-08-27 03:33:48 |
Message-ID: | 20050827033348.GA12398@wolff.to |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-novice |
On Fri, Aug 26, 2005 at 15:40:02 -0700,
operationsengineer1(at)yahoo(dot)com wrote:
> > IMO the best way to do this is to use bind
> > parameters to pass user input
> > to queries. Then you don't need to escape anything.
> > You might still check
> > for very long strings.
>
> this got me thinking... is this what you are talking
> about (i use ADOdb)?
>
> $db->Execute("INSERT INTO t_customer (customer_name,
> customer_entry_date) VALUES (?,?)",
> array($customer_name, $db->DBDate(time())));
>
> $customer_name is the validated input from the user
> with no escaping of any kind. is this ok?
>
> this query works just dandy. does it mean i can start
> sleeping at night? -lol-
Yes this is the idea. Bad data for the values can't execute unexpected SQL
commands; it can only cause the query to fail.
From | Date | Subject | |
---|---|---|---|
Next Message | Michael Fuhr | 2005-08-27 05:19:06 | Re: LOG entries: "could not receive data from client" ? |
Previous Message | Bruno Wolff III | 2005-08-27 03:32:03 | Re: SQL safe input? |