ID: 28199 User updated by: jlawson-php at bovine dot net Reported By: jlawson-php at bovine dot net Status: Open Bug Type: PostgreSQL related Operating System: FreeBSD PHP Version: 4.3.6 New Comment:
I guess bug attachments aren't supported here. In any case, you can download it from here: http://bugs.distributed.net/attachment.cgi?id=301&action=view (If you case, the enhancement/bug that I developed this patch for at distributed.net is available at http://bugs.distributed.net/show_bug.cgi?id=3643 ) Previous Comments: ------------------------------------------------------------------------ [2004-04-28 04:45:34] jlawson-php at bovine dot net Description: ------------ Using bound parameters when executing SQL commands should be encouraged, since use of it for all substitutable variables will eliminate most SQL injection types of attacks. Although some of the database providers in PHP already provide ways to prepare/execute queries with substituted parameters, not all of them do. The "pgsql" PHP extension for PostgreSQL does not include any existing way, so I have implemented a new pg_query_params() function that allows you to do this in a single function call. Note that this my new method has chosen not follow the style of providing two separate prepare/execute functions for bound parameter execution. This is because with PostgreSQL it would require the user to use a significantly different SQL query format and assign the prepared query a session-unique name, making it much more cumbersome to use. ie: "PREPARE mystmt(text,int,float8) AS insert into abc values($1,$2,$3)" instead of just "insert into abc values($1,$2,$3)" PostgreSQL requires that parameter binding uses numbered placeholders ($1, $2, $3, etc) instead of just an unlabelled "?", that is common for the other providers (like ODBC). The PQexecParams() pqlib function that I depend on is unfortunately only available in PostgreSQL 7.4, so some autoconf checks will need to be added before integrating my new function into PHP. Reproduce code: --------------- A patch including my new extension function will be attached later. However sample code that uses my function might be: $params = array("joe's place", 22, 123.4); pg_query_params("insert into abc values($1,$2,$3)", $params); Expected result: ---------------- n/a Actual result: -------------- n/a ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=28199&edit=1
