Re: Protection from SQL injection
| От | PFC |
|---|---|
| Тема | Re: Protection from SQL injection |
| Дата | |
| Msg-id | op.uadzcsamcigqcu@apollo13.peufeu.com обсуждение исходный текст |
| Ответ на | Re: Protection from SQL injection (Josh Berkus <josh@agliodbs.com>) |
| Список | pgsql-hackers |
> For example, some applications need to replace whole phrases:
>
> $criteria = "WHERE $var1 = '$var2'"
>
> This is a very common approach for dynamic search screens, and really not
> covered by placeholder approaches.
Python, again :
params = {'column1': 10,'column2': "a st'ring",
}
where = " AND ".join( "%s=%%s" % (key,value) for key,value in
params.items() )
cursor.execute( "SELECT * FROM table WHERE " + where, params )
I use the same approach (albeit more complicated) in PHP.
For complex expressions you can play with arrays etc, it is not that
difficult.Or you just do :
$criteria = db_quote_query( "WHERE $var1 = %s", array( $var2 ))
using the function I posted earlier.
This supposes of course that $var1 which is the column name, comes from a
known source, and not user input.In that case, $var1 will probably be the form field name, which means it
is specified by the programmer a few lines prior in the code.
В списке pgsql-hackers по дате отправления: