Re: SQL injection, php and queueing multiple statement

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Ivan Sergio Borgonovo <mail(at)webthatworks(dot)it>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: SQL injection, php and queueing multiple statement
Date: 2008-04-12 20:18:34
Message-ID: 20609.1208031514@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Ivan Sergio Borgonovo <mail(at)webthatworks(dot)it> writes:
> Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> Use prepared statements.

> Yeah... but how can I effectively enforce the policy that ALL input
> will be passed through prepared statements?

Modify the PHP code (at whatever corresponds to the DBD layer)
to always use PQexecParams, never PQexec, even when you don't
have any parameters.

regards, tom lane

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Ivan Sergio Borgonovo 2008-04-12 21:06:42 Re: SQL injection, php and queueing multiple statement
Previous Message Gregory Stark 2008-04-12 19:33:04 Re: Postgres on shared network drive