Re: Select Where using character varying ??
| От | Robert Treat |
|---|---|
| Тема | Re: Select Where using character varying ?? |
| Дата | |
| Msg-id | 200610032048.09195.xzilla@users.sourceforge.net обсуждение исходный текст |
| Ответ на | Re: Select Where using character varying ?? (Mariusz Pękala <skoot@qi.pl>) |
| Список | pgsql-php |
On Tuesday 03 October 2006 16:03, Mariusz Pękala wrote:
> > I think you should try:
> > $Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name
> > =\"$Sem\"");
>
> Double quotes are for quoting column names, not string constants.
>
> > $Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name
> > ='$Sem'");
>
> Better, but all strings, especially provided by some user, should be
> treated by the function pg_escape_string.
>
> Consider that some user types in a form field a text like this:
>
> '; delete from seminar where ''='
>
> When you add single quotes you get two valid queries. One of them is
> what you would never want to be executed ;-)
>
> And, by the way - pg_exec is a deprecated name AFAIK. The new one is
> pg_query.
probably even better would be to use pg_prepare and pg_execute.
--
Robert Treat
Build A Brighter LAMP :: Linux Apache {middleware} PostgreSQL
В списке pgsql-php по дате отправления: