Thread: Re: Effectiveness of pg_escape_string at blocking SQL injection

--- Ed Finkler <coj@cerias.purdue.edu> wrote:
> Volkan YAZICI wrote:
>
> [snip]
>
> > If you think, they're not enough for SQL-Injection
> attacks, I'd advice
> > you to patch libpq code, not PHP.
>
> This is very helpful information.  My initial
> thinking is that this
> wouldn't be effective at catching SQL injections,
> but I'll need to
> bounce this off a few other folks.
>
> Thanks!

do let us all know what you find out.

bruno and all...  what are bind parameters?  how can i
avoid building sql from user input when my sql depends
on user input?

tia...



__________________________________
Do you Yahoo!?
Yahoo! Small Business - Try our new Resources site
http://smallbusiness.yahoo.com/resources/

Re: Effectiveness of pg_escape_string at blocking SQL injection

From
Bruno Wolff III
Date:
On Fri, May 27, 2005 at 10:25:52 -0700,
  operationsengineer1@yahoo.com wrote:
>
> bruno and all...  what are bind parameters?  how can i
> avoid building sql from user input when my sql depends
> on user input?

You leave place holders in the SQL string to be replaced by parameters
passed separately. You don't need to do any escaping of the parameters
when passed this way.

Here is a snipet of perl code that does this:
    $rows = $dbh->do(<<'EOF',
INSERT INTO detail (day, amount, comment, category, cat_type)
  SELECT ?, ?, ?, id, cat_type FROM category WHERE id = ?
EOF
      {}, param('day'), param('amount'), param('comment'), param('category'));