Home > mailing lists

Re: Protection from SQL injection - Mailing list pgsql-hackers

From	PFC
Subject	Re: Protection from SQL injection
Date	April 29, 2008 07:21:22
Msg-id	op.uac2yav2cigqcu@apollo13.peufeu.com Whole thread Raw
In response to	Re: Protection from SQL injection ("Brendan Jurd" <direvus@gmail.com>)
Responses	Re: Protection from SQL injection ("Thomas Mueller" <thomas.tom.mueller@gmail.com>)
List	pgsql-hackers

Tree view

On Tue, 29 Apr 2008 01:03:33 +0200, Brendan Jurd <direvus@gmail.com> wrote:

> On Tue, Apr 29, 2008 at 7:00 AM, PFC <lists@peufeu.com> wrote:
>>  I have found that the little bit of code posted afterwards did
>> eliminate
>> SQL holes in my PHP applications with zero developer pain, actually it
>> is
>> MORE convenient to use than randomly pasting strings into queries.
>>
>>  You just call
>>  db_query( "SELECT * FROM table WHERE column1=%s AND column2=%s", array(
>> $var1, $var2 ));
>>
>
> Implementing this for yourself is crazy; PHP's Postgres extension
> already does this for you since 5.1.0:
>
> $result = pg_query_params("SELECT foo FROM bar WHERE baz = $1",
> array($baz));
>
> http://www.php.net/manual/en/function.pg-query-params.php
>
> Cheers,
> BJ
pg_query_params is quite slower actually...

pgsql-hackers by date:

From: Tom Lane
Date: 29 April 2008, 04:12:48
Subject: Re: [COMMITTERS] pgsql: Increase the statement_timeout value used in the prepared_xacts

From: Peter Eisentraut
Date: 29 April 2008, 08:44:37
Subject: Re: we don't have a bugzilla

Re: Protection from SQL injection - Mailing list pgsql-hackers

Previous

Next