| From: | ljb <lbayuk(at)pobox(dot)com> |
|---|---|
| To: | pgsql-php(at)postgresql(dot)org |
| Subject: | Re: pg_[un]escape_bytea, pgsql 8.2.1, php 5.1.6, Linux |
| Date: | 2007-02-06 02:20:51 |
| Message-ID: | eq8om3omeq8om3$4om$1@news.hub.org@news.hub.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-php |
vdephily(at)bluemetrix(dot)com wrote:
>...
> I think you can instead use prepared statements via SQL directly (as php
> probably does in the end) :
>
> // initialisation
> pg_query('PREPARE mystatement (bytea) AS INSERT INTO mytable (bd) VALUES
> ($1);');
> // insert loop
> pg_query("EXECUTE mystatement (' . pg_escape_bytea($data) . "');");
>
> Annoying to have to do all this yourself, but it should work (and it *is* a
> parameterized query).
It's sort of a parameterized query, but not really in the sense the
original poster wants. That is, it does not protect against SQL injection
attacks the way a true parameterized query does (with the variable data
passed outside of the SQL statement itself, and not subject to SQL
parsing). If some way around pg_escape_bytea were to be found (as perhaps
happened before with multi-byte characters and PQescapeString), the above
could be vulnerable. In fact I don't see where it is any safer than
just doing pg_query("INSERT ... '" . pg_escape_bytea($data) . "')");
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Gary Chambers | 2007-02-07 14:58:34 | Re: pg_[un]escape_bytea, pgsql 8.2.1, php 5.1.6, Linux |
| Previous Message | Tom Lane | 2007-02-05 21:49:10 | Re: Symbol lookup error |