Re: Select Where using character varying ?? - Mailing list pgsql-php

From Mariusz Pękala
Subject Re: Select Where using character varying ??
Date
Msg-id 20061003200353.GA8719@cthulhu.sdi.tpnet.pl
Whole thread Raw
In response to Re: Select Where using character varying ??  (DCarrero <dcarreroc@gmail.com>)
Responses Re: Select Where using character varying ??
List pgsql-php
> I think you should try:
> $Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name
> =\"$Sem\"");

Double quotes are for quoting column names, not string constants.

> $Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name
> ='$Sem'");

Better, but all strings, especially provided by some user, should be
treated by the function pg_escape_string.

Consider that some user types in a form field a text like this:

'; delete from seminar where ''='

When you add single quotes you get two valid queries. One of them is
what you would never want to be executed ;-)

And, by the way - pg_exec is a deprecated name AFAIK. The new one is
pg_query.


--
Ceterum censeo Internet Explorer esse delendam.

Attachment

pgsql-php by date:

Previous
From: DCarrero
Date:
Subject: Re: Select Where using character varying ??
Next
From: Robert Treat
Date:
Subject: Re: Select Where using character varying ??