Re: Select Where using character varying ??

Поиск
Список
Период
Сортировка
От Mariusz Pękala
Тема Re: Select Where using character varying ??
Дата
Msg-id 20061003200353.GA8719@cthulhu.sdi.tpnet.pl
обсуждение исходный текст
Ответ на Re: Select Where using character varying ??  (DCarrero <dcarreroc@gmail.com>)
Ответы Re: Select Where using character varying ??
Список pgsql-php
Дерево обсуждения 
> I think you should try:
> $Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name
> =\"$Sem\"");

Double quotes are for quoting column names, not string constants.

> $Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name
> ='$Sem'");

Better, but all strings, especially provided by some user, should be
treated by the function pg_escape_string.

Consider that some user types in a form field a text like this:

'; delete from seminar where ''='

When you add single quotes you get two valid queries. One of them is
what you would never want to be executed ;-)

And, by the way - pg_exec is a deprecated name AFAIK. The new one is
pg_query.


--
Ceterum censeo Internet Explorer esse delendam.
Вложения

В списке pgsql-php по дате отправления:

Предыдущее
От: DCarrero
Дата:
Сообщение: Re: Select Where using character varying ??
Следующее
От: Robert Treat
Дата:
Сообщение: Re: Select Where using character varying ??