PHP with PostgreSQL - Re: Effectiveness of pg_escape

Author

Re: Effectiveness of pg_escape_string at blocking SQL injection

operationsengineer1@yahoo.com

2005-05-27, 1:23 pm

--- Ed Finkler <coj@cerias.purdue.edu> wrote:
> Volkan YAZICI wrote:
>
> [snip]
>
> attacks, I'd advice
>
> This is very helpful information. My initial
> thinking is that this
> wouldn't be effective at catching SQL injections,
> but I'll need to
> bounce this off a few other folks.
>
> Thanks!

do let us all know what you find out.

bruno and all... what are bind parameters? how can i
avoid building sql from user input when my sql depends
on user input?

tia...

____________________
______________
Do you Yahoo!?
Yahoo! Small Business - Try our new Resources site
http://smallbusiness.yahoo.com/resources/

---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere
" to majordomo@postgresql
.org)

Bruno Wolff III

2005-05-27, 1:23 pm

On Fri, May 27, 2005 at 10:25:52 -0700,
operationsengineer1@
yahoo.com wrote:
>
> bruno and all... what are bind parameters? how can i
> avoid building sql from user input when my sql depends
> on user input?

You leave place holders in the SQL string to be replaced by parameters
passed separately. You don't need to do any escaping of the parameters
when passed this way.

Here is a snipet of perl code that does this:
$rows = $dbh->do(<<'EOF',
INSERT INTO detail (day, amount, comment, category, cat_type)
SELECT ?, ?, ?, id, cat_type FROM category WHERE id = ?
EOF
{}, param('day'), param('amount'), param('comment'), param('category'));

---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?

http://archives.postgresql.org

Sponsored Links