From: jlawson-php at bovine dot net Operating system: FreeBSD PHP version: 4.3.6 PHP Bug Type: PostgreSQL related Bug description: Add way to execute pgsql queries with sql bound parameters
Description: ------------ Using bound parameters when executing SQL commands should be encouraged, since use of it for all substitutable variables will eliminate most SQL injection types of attacks. Although some of the database providers in PHP already provide ways to prepare/execute queries with substituted parameters, not all of them do. The "pgsql" PHP extension for PostgreSQL does not include any existing way, so I have implemented a new pg_query_params() function that allows you to do this in a single function call. Note that this my new method has chosen not follow the style of providing two separate prepare/execute functions for bound parameter execution. This is because with PostgreSQL it would require the user to use a significantly different SQL query format and assign the prepared query a session-unique name, making it much more cumbersome to use. ie: "PREPARE mystmt(text,int,float8) AS insert into abc values($1,$2,$3)" instead of just "insert into abc values($1,$2,$3)" PostgreSQL requires that parameter binding uses numbered placeholders ($1, $2, $3, etc) instead of just an unlabelled "?", that is common for the other providers (like ODBC). The PQexecParams() pqlib function that I depend on is unfortunately only available in PostgreSQL 7.4, so some autoconf checks will need to be added before integrating my new function into PHP. Reproduce code: --------------- A patch including my new extension function will be attached later. However sample code that uses my function might be: $params = array("joe's place", 22, 123.4); pg_query_params("insert into abc values($1,$2,$3)", $params); Expected result: ---------------- n/a Actual result: -------------- n/a -- Edit bug report at http://bugs.php.net/?id=28199&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=28199&r=trysnapshot4 Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=28199&r=trysnapshot5 Fixed in CVS: http://bugs.php.net/fix.php?id=28199&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=28199&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=28199&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=28199&r=needscript Try newer version: http://bugs.php.net/fix.php?id=28199&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=28199&r=support Expected behavior: http://bugs.php.net/fix.php?id=28199&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=28199&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=28199&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=28199&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=28199&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=28199&r=dst IIS Stability: http://bugs.php.net/fix.php?id=28199&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=28199&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=28199&r=float