Re: Select Where using character varying ??

Поиск

Список

Период

Сортировка

От	Robert Treat
Тема	Re: Select Where using character varying ??
Дата	3 октября 2006 г. 21:57:27
Msg-id	200610032048.09195.xzilla@users.sourceforge.net обсуждение исходный текст
Ответ на	Re: Select Where using character varying ?? (Mariusz Pękala <skoot@qi.pl>)
Список	pgsql-php

Дерево обсуждения

On Tuesday 03 October 2006 16:03, Mariusz Pękala wrote:
> > I think you should try:
> > $Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name
> > =\"$Sem\"");
>
> Double quotes are for quoting column names, not string constants.
>
> > $Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name
> > ='$Sem'");
>
> Better, but all strings, especially provided by some user, should be
> treated by the function pg_escape_string.
>
> Consider that some user types in a form field a text like this:
>
> '; delete from seminar where ''='
>
> When you add single quotes you get two valid queries. One of them is
> what you would never want to be executed ;-)
>
> And, by the way - pg_exec is a deprecated name AFAIK. The new one is
> pg_query.

probably even better would be to use pg_prepare and pg_execute.

--
Robert Treat
Build A Brighter LAMP :: Linux Apache {middleware} PostgreSQL

В списке pgsql-php по дате отправления:

Вход в личный кабинет

Восстановление пароля

Подтверждение аккаунта

Изменение пароля

Re: Select Where using character varying ??