From: jlawson-php at bovine dot net
Operating system: FreeBSD
PHP version: 4.3.6
PHP Bug Type: PostgreSQL related
Bug description: Add way to execute pgsql queries with sql bound parameters
Description:
------------
Using bound parameters when executing SQL commands should be encouraged,
since use of it for all substitutable variables will eliminate most SQL
injection types of attacks.
Although some of the database providers in PHP already provide ways to
prepare/execute queries with substituted parameters, not all of them do.
The "pgsql" PHP extension for PostgreSQL does not include any existing
way, so I have implemented a new pg_query_params() function that allows
you to do this in a single function call.
Note that this my new method has chosen not follow the style of providing
two separate prepare/execute functions for bound parameter execution.
This is because with PostgreSQL it would require the user to use a
significantly different SQL query format and assign the prepared query a
session-unique name, making it much more cumbersome to use. ie: "PREPARE
mystmt(text,int,float8) AS insert into abc values($1,$2,$3)" instead of
just "insert into abc values($1,$2,$3)"
PostgreSQL requires that parameter binding uses numbered placeholders ($1,
$2, $3, etc) instead of just an unlabelled "?", that is common for the
other providers (like ODBC).
The PQexecParams() pqlib function that I depend on is unfortunately only
available in PostgreSQL 7.4, so some autoconf checks will need to be added
before integrating my new function into PHP.
Reproduce code:
---------------
A patch including my new extension function will be attached later.
However sample code that uses my function might be:
$params = array("joe's place", 22, 123.4);
pg_query_params("insert into abc values($1,$2,$3)", $params);
Expected result:
----------------
n/a
Actual result:
--------------
n/a
--
Edit bug report at http://bugs.php.net/?id=28199&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=28199&r=trysnapshot4
Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=28199&r=trysnapshot5
Fixed in CVS: http://bugs.php.net/fix.php?id=28199&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=28199&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=28199&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=28199&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=28199&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=28199&r=support
Expected behavior: http://bugs.php.net/fix.php?id=28199&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=28199&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=28199&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=28199&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=28199&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=28199&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=28199&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=28199&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=28199&r=float
