Re: SQL safe input? - Mailing list pgsql-novice

From Bruno Wolff III
Subject Re: SQL safe input?
Date
Msg-id 20050827033348.GA12398@wolff.to
Whole thread Raw
In response to Re: SQL safe input?  (<operationsengineer1@yahoo.com>)
Responses Re: SQL safe input?  (<operationsengineer1@yahoo.com>)
List pgsql-novice
On Fri, Aug 26, 2005 at 15:40:02 -0700,
  operationsengineer1@yahoo.com wrote:
> > IMO the best way to do this is to use bind
> > parameters to pass user input
> > to queries. Then you don't need to escape anything.
> > You might still check
> > for very long strings.
>
> this got me thinking...  is this what you are talking
> about (i use ADOdb)?
>
> $db->Execute("INSERT INTO t_customer (customer_name,
> customer_entry_date) VALUES (?,?)",
> array($customer_name, $db->DBDate(time())));
>
> $customer_name is the validated input from the user
> with no escaping of any kind.  is this ok?
>
> this query works just dandy.  does it mean i can start
> sleeping at night?  -lol-

Yes this is the idea. Bad data for the values can't execute unexpected SQL
commands; it can only cause the query to fail.

pgsql-novice by date:

Previous
From: Bruno Wolff III
Date:
Subject: Re: SQL safe input?
Next
From: Alex du Plessis
Date:
Subject: Created objects not visible