Home > mailing lists

Re: Effectiveness of pg_escape_string at blocking SQL injection - Mailing list pgsql-php

From	Bruno Wolff III
Subject	Re: Effectiveness of pg_escape_string at blocking SQL injection
Date	May 27, 2005 18:15:02
Msg-id	20050527181341.GA9856@wolff.to Whole thread Raw
In response to	Re: Effectiveness of pg_escape_string at blocking SQL injection (<operationsengineer1@yahoo.com>)
List	pgsql-php

Tree view

On Fri, May 27, 2005 at 10:25:52 -0700,
  operationsengineer1@yahoo.com wrote:
>
> bruno and all...  what are bind parameters?  how can i
> avoid building sql from user input when my sql depends
> on user input?

You leave place holders in the SQL string to be replaced by parameters
passed separately. You don't need to do any escaping of the parameters
when passed this way.

Here is a snipet of perl code that does this:
    $rows = $dbh->do(<<'EOF',
INSERT INTO detail (day, amount, comment, category, cat_type)
  SELECT ?, ?, ?, id, cat_type FROM category WHERE id = ?
EOF
      {}, param('day'), param('amount'), param('comment'), param('category'));

pgsql-php by date:

From:
Date: 27 May 2005, 17:25:58
Subject: Re: Effectiveness of pg_escape_string at blocking SQL injection

From: Andrew McMillan
Date: 28 May 2005, 05:02:17
Subject: Re: Effectiveness of pg_escape_string at blocking SQL

Re: Effectiveness of pg_escape_string at blocking SQL injection - Mailing list pgsql-php

Previous

Next