Skip site navigation (1)
Skip section navigation (2)
Peripheral Links
Header And Logo
|
Site Navigation
Re: Protection from SQL injection
- From: "Brendan Jurd" <direvus(at)gmail(dot)com>
- To: PFC <lists(at)peufeu(dot)com>
- Cc: "Thomas Mueller" <thomas(dot)tom(dot)mueller(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org
- Subject: Re: Protection from SQL injection
- Date: Tue, 29 Apr 2008 09:03:33 +1000
- Message-id: <37ed240d0804281603g145435b7yc55e835233634627(at)mail(dot)gmail(dot)com>
On Tue, Apr 29, 2008 at 7:00 AM, PFC <lists(at)peufeu(dot)com> wrote:
> I have found that the little bit of code posted afterwards did eliminate
> SQL holes in my PHP applications with zero developer pain, actually it is
> MORE convenient to use than randomly pasting strings into queries.
>
> You just call
> db_query( "SELECT * FROM table WHERE column1=%s AND column2=%s", array(
> $var1, $var2 ));
>
Implementing this for yourself is crazy; PHP's Postgres extension
already does this for you since 5.1.0:
$result = pg_query_params("SELECT foo FROM bar WHERE baz = $1", array($baz));
http://www.php.net/manual/en/function.pg-query-params.php
Cheers,
BJ
- Follow-Ups:
- Re: Protection from SQL injection
- From: PFC
- Re: Protection from SQL injection
- References:
- Protection from SQL injection
- From: Thomas Mueller
- Re: Protection from SQL injection
- From: PFC
- Protection from SQL injection
- Prev by Date: Re: WANTED: VACUUM SUMMARY
- Next by Date: Re: Protection from SQL injection
- Previous by thread: Re: Protection from SQL injection
- Next by thread: Re: Protection from SQL injection
- Indexes: