Re: pg_query_params and SQL injection - Mailing list pgsql-php

From ljb
Subject Re: pg_query_params and SQL injection
Date
Msg-id g9i0l7$253u$1@news.hub.org
Whole thread Raw
In response to pg_query_params and SQL injection  (Kevin Golding <tearinghairout@yahoo.com>)
List pgsql-php
tearinghairout@yahoo.com wrote:
> Hi all
> I am just doing some playing around with PHP to learn how to avoid SQL injection attacks.
> It has been mentioned in a few places that pg_query_params is supposed to protect from sql injection without needing
tomess around escaping quotes and things. 
>
> However, I was still able to get it to drop a table by feeding in this input "1; drop table results" to the following
statement:
> $r = pg_query_params($p, 'select * from results where res_id = $1', array($input));
>
> Everyone keeps repeating the same "pg_query_params is safe from SQL injection", but surely someone else must have
actuallytried it? Where am I going wrong? 
>
> I am using Postgresql 8.3 for OS X on 10.5.2, and MAMP which has PHP Version 5.2.5.

I can't duplicate it and don't think it is possible. I get this error:
PHP Warning:  pg_query_params()
Query failed: ERROR:  invalid input syntax for integer: "1; drop table results"

Take another look or post more of the code you tried.

pgsql-php by date:

Previous
From: Kevin Golding
Date:
Subject: pg_query_params and SQL injection
Next
From: Rico Secada
Date:
Subject: Can't get PHP PDO LOB working with PostgreSQL (WRONG CODE)