Thread: pg_prepare question

Hi,
   I know I should be using pg_prepare/pg_execute to make my PHP -
postgres code more secure.  But I am wondering just what I can put in
for parameters:  Here is a brief checklist:

     1.  values for inserted columns            OK
     2.  names of inserted columns              ????
     3.  names of tables                        ????
     4.  A whole select list e.g. "fu, bar"     NOT OK

My application is a bit more complex than the ones shown in the books
and manuals.  My data comes in as a large number of individual tables
which are sort of related (worldwide mortality statistics) but which
have widely differing table structures.  So I am always creating
temporary tables to handle data input and output, and these tables have
variable column structure.

Thanks in advance
Mary

On Mar 7, 2008, at 1:21 PM, Mary Anderson wrote:

>  I know I should be using pg_prepare/pg_execute to make my PHP -
> postgres code more secure.  But I am wondering just what I can put
> in for parameters:  Here is a brief checklist:
>
>    1.  values for inserted columns            OK
>    2.  names of inserted columns              ????
>    3.  names of tables                        ????
>    4.  A whole select list e.g. "fu, bar"     NOT OK
>
> My application is a bit more complex than the ones shown in the
> books and manuals.  My data comes in as a large number of individual
> tables which are sort of related (worldwide mortality statistics)
> but which have widely differing table structures.  So I am always
> creating temporary tables to handle data input and output, and these
> tables have variable column structure.


Values only. But you can still generate your SQL dynamically for
creating prepared statements to handle variable table and column
names. The important part is to parameterize values to secure any data
coming from outside sources.



John DeSoi, Ph.D.