vdephily@bluemetrix.com wrote:
>...
> I think you can instead use prepared statements via SQL directly (as php
> probably does in the end) :
>
> // initialisation
> pg_query('PREPARE mystatement (bytea) AS INSERT INTO mytable (bd) VALUES
> ($1);');
> // insert loop
> pg_query("EXECUTE mystatement (' . pg_escape_bytea($data) . "');");
>
> Annoying to have to do all this yourself, but it should work (and it *is* a
> parameterized query).
It's sort of a parameterized query, but not really in the sense the
original poster wants. That is, it does not protect against SQL injection
attacks the way a true parameterized query does (with the variable data
passed outside of the SQL statement itself, and not subject to SQL
parsing). If some way around pg_escape_bytea were to be found (as perhaps
happened before with multi-byte characters and PQescapeString), the above
could be vulnerable. In fact I don't see where it is any safer than
just doing pg_query("INSERT ... '" . pg_escape_bytea($data) . "')");
