| From: | PFC <lists(at)peufeu(dot)com> |
|---|---|
| To: | "Brendan Jurd" <direvus(at)gmail(dot)com> |
| Cc: | "Thomas Mueller" <thomas(dot)tom(dot)mueller(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Protection from SQL injection |
| Date: | 2008-04-29 07:26:24 |
| Message-ID: | op.uac2yav2cigqcu@apollo13.peufeu.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, 29 Apr 2008 01:03:33 +0200, Brendan Jurd <direvus(at)gmail(dot)com> wrote:
> On Tue, Apr 29, 2008 at 7:00 AM, PFC <lists(at)peufeu(dot)com> wrote:
>> I have found that the little bit of code posted afterwards did
>> eliminate
>> SQL holes in my PHP applications with zero developer pain, actually it
>> is
>> MORE convenient to use than randomly pasting strings into queries.
>>
>> You just call
>> db_query( "SELECT * FROM table WHERE column1=%s AND column2=%s", array(
>> $var1, $var2 ));
>>
>
> Implementing this for yourself is crazy; PHP's Postgres extension
> already does this for you since 5.1.0:
>
> $result = pg_query_params("SELECT foo FROM bar WHERE baz = $1",
> array($baz));
>
> http://www.php.net/manual/en/function.pg-query-params.php
>
> Cheers,
> BJ
pg_query_params is quite slower actually...
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2008-04-29 08:44:28 | Re: we don't have a bugzilla |
| Previous Message | Bryce Nesbitt | 2008-04-29 04:43:59 | Re: [HACKERS] Proposed patch - psql wraps at window width |