Home > mailing lists

Re: SQL injection, php and queueing multiple statement - Mailing list pgsql-general

From	Tom Lane
Subject	Re: SQL injection, php and queueing multiple statement
Date	April 12, 2008 20:18:39
Msg-id	20609.1208031514@sss.pgh.pa.us Whole thread Raw
In response to	Re: SQL injection, php and queueing multiple statement (Ivan Sergio Borgonovo <mail@webthatworks.it>)
List	pgsql-general

Tree view

Ivan Sergio Borgonovo <mail@webthatworks.it> writes:
> Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> Use prepared statements.

> Yeah... but how can I effectively enforce the policy that ALL input
> will be passed through prepared statements?

Modify the PHP code (at whatever corresponds to the DBD layer)
to always use PQexecParams, never PQexec, even when you don't
have any parameters.

            regards, tom lane

pgsql-general by date:

From: Gregory Stark
Date: 12 April 2008, 19:33:15
Subject: Re: Postgres on shared network drive

From: Ivan Sergio Borgonovo
Date: 12 April 2008, 21:06:53
Subject: Re: SQL injection, php and queueing multiple statement

Re: SQL injection, php and queueing multiple statement - Mailing list pgsql-general

Previous

Next