On Mar 7, 2008, at 1:21 PM, Mary Anderson wrote:
> I know I should be using pg_prepare/pg_execute to make my PHP -
> postgres code more secure. But I am wondering just what I can put
> in for parameters: Here is a brief checklist:
>
> 1. values for inserted columns OK
> 2. names of inserted columns ????
> 3. names of tables ????
> 4. A whole select list e.g. "fu, bar" NOT OK
>
> My application is a bit more complex than the ones shown in the
> books and manuals. My data comes in as a large number of individual
> tables which are sort of related (worldwide mortality statistics)
> but which have widely differing table structures. So I am always
> creating temporary tables to handle data input and output, and these
> tables have variable column structure.
Values only. But you can still generate your SQL dynamically for
creating prepared statements to handle variable table and column
names. The important part is to parameterize values to secure any data
coming from outside sources.
John DeSoi, Ph.D.