> Is there a switch (php side or pg side) to avoid things like:
>
> pg_query("select id from table1 where a=$i");
>
> into becoming
>
> pg_query("select id from table1 where a=1 and 1=1; do something
> nasty; -- ");
Ideally, you'd use this:
pg_query_params('select id from table1 where a=$1', array($i));
http://us2.php.net/manual/en/function.pg-query-params.php
Alternately, you can do this:
$i = pg_escape_string($i);
pg_query(" select id from table1 where a='$i' ");
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
