Skip site navigation (1)
Skip section navigation (2)
Peripheral Links
Header And Logo
|
Site Navigation
Re: Select Where using character varying ??
- From: Mariusz Pękala <skoot(at)qi(dot)pl>
- To: pgsql-php(at)postgresql(dot)org
- Subject: Re: Select Where using character varying ??
- Date: Tue, 3 Oct 2006 22:03:53 +0200
> I think you should try: > $Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name > =\"$Sem\""); Double quotes are for quoting column names, not string constants. > $Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name > ='$Sem'"); Better, but all strings, especially provided by some user, should be treated by the function pg_escape_string. Consider that some user types in a form field a text like this: '; delete from seminar where ''=' When you add single quotes you get two valid queries. One of them is what you would never want to be executed ;-) And, by the way - pg_exec is a deprecated name AFAIK. The new one is pg_query. -- Ceterum censeo Internet Explorer esse delendam.
Attachment:
pgphvA2vCyy9L.pgp
Description: PGP signature
- Follow-Ups:
- Re: Select Where using character varying ??
- From: Robert Treat
- Re: Select Where using character varying ??
- References:
- Select Where using character varying ??
- From: ben wilko
- Re: Select Where using character varying ??
- From: Charley Tiggs
- Re: Select Where using character varying ??
- From: DCarrero
- Select Where using character varying ??
- Prev by Date: Re: Select Where using character varying ??
- Next by Date: Re: Select Where using character varying ??
- Previous by thread: Re: Select Where using character varying ??
- Next by thread: Re: Select Where using character varying ??
- Indexes: