Home > mailing lists

Re: SQL injection, php and queueing multiple statement - Mailing list pgsql-general

From	Adam Rich
Subject	Re: SQL injection, php and queueing multiple statement
Date	April 11, 2008 19:27:10
Msg-id	039f01c89c0a$096fff80$1c4ffe80$@r@sbcglobal.net Whole thread Raw
In response to	SQL injection, php and queueing multiple statement (Ivan Sergio Borgonovo <mail@webthatworks.it>)
Responses	Re: SQL injection, php and queueing multiple statement (Ivan Sergio Borgonovo <mail@webthatworks.it>)
List	pgsql-general

Tree view

> Is there a switch (php side or pg side) to avoid things like:
>
> pg_query("select id from table1 where a=$i");
>
> into becoming
>
> pg_query("select id from table1 where a=1 and 1=1; do something
> nasty; -- ");

Ideally, you'd use this:

pg_query_params('select id from table1 where a=$1', array($i));

http://us2.php.net/manual/en/function.pg-query-params.php

Alternately, you can do this:

$i = pg_escape_string($i);
pg_query(" select id from table1 where a='$i' ");

pgsql-general by date:

From: Ivan Sergio Borgonovo
Date: 11 April 2008, 19:21:38
Subject: SQL injection, php and queueing multiple statement

From: Stefan Sturm
Date: 11 April 2008, 21:22:08
Subject: Re: PostgreSQL Processes on a linux box

Re: SQL injection, php and queueing multiple statement - Mailing list pgsql-general

Previous

Next