Skip site navigation (1)
Skip section navigation (2)
Peripheral Links
Header And Logo
|
Site Navigation
Re: pg_[un]escape_bytea, pgsql 8.2.1, php 5.1.6, Linux
- From: ljb <lbayuk(at)pobox(dot)com>
- To: pgsql-php(at)postgresql(dot)org
- Subject: Re: pg_[un]escape_bytea, pgsql 8.2.1, php 5.1.6, Linux
- Date: Tue, 6 Feb 2007 02:20:51 +0000 (UTC)
vdephily(at)bluemetrix(dot)com wrote:
>...
> I think you can instead use prepared statements via SQL directly (as php
> probably does in the end) :
>
> // initialisation
> pg_query('PREPARE mystatement (bytea) AS INSERT INTO mytable (bd) VALUES
> ($1);');
> // insert loop
> pg_query("EXECUTE mystatement (' . pg_escape_bytea($data) . "');");
>
> Annoying to have to do all this yourself, but it should work (and it *is* a
> parameterized query).
It's sort of a parameterized query, but not really in the sense the
original poster wants. That is, it does not protect against SQL injection
attacks the way a true parameterized query does (with the variable data
passed outside of the SQL statement itself, and not subject to SQL
parsing). If some way around pg_escape_bytea were to be found (as perhaps
happened before with multi-byte characters and PQescapeString), the above
could be vulnerable. In fact I don't see where it is any safer than
just doing pg_query("INSERT ... '" . pg_escape_bytea($data) . "')");
- References:
- pg_[un]escape_bytea, pgsql 8.2.1, php 5.1.6, Linux
- From: Gary Chambers
- Re: pg_[un]escape_bytea, pgsql 8.2.1, php 5.1.6, Linux
- From: ljb
- Re: pg_[un]escape_bytea, pgsql 8.2.1, php 5.1.6, Linux
- From: Gary Chambers
- Re: pg_[un]escape_bytea, pgsql 8.2.1, php 5.1.6, Linux
- From: Vincent de Phily
- pg_[un]escape_bytea, pgsql 8.2.1, php 5.1.6, Linux
- Prev by Date: Re: [ADMIN] Symbol lookup error
- Next by Date: Re: pg_[un]escape_bytea, pgsql 8.2.1, php 5.1.6, Linux
- Previous by thread: Re: pg_[un]escape_bytea, pgsql 8.2.1, php 5.1.6, Linux
- Next by thread: Re: pg_[un]escape_bytea, pgsql 8.2.1, php 5.1.6, Linux
- Indexes: