Yeah, definitely seems like PQexecParams is the safest and easiest way of
doing so.
In general, I'm always in favor of using bound parameters exactly for this
reason.
Andi
At 10:44 AM 7/7/2005 +0800, Christopher Kings-Lynne wrote:
By the way, using PQexecParams is by far the easiest fastest and safest
way of doing this...
Chris
Ilia Alshanetsky wrote:
iliaa Wed Jul 6 22:17:21 2005 EDT
Modified files:
/php-src/ext/pdo_pgsql pgsql_driver.c Log:
Leave it up to the user to decide if to escape the sequence name or not.
http://cvs.php.net/diff.php/php-src/ext/pdo_pgsql/pgsql_driver.c?r1=1.47&r2=1.48&ty=u
Index: php-src/ext/pdo_pgsql/pgsql_driver.c
diff -u php-src/ext/pdo_pgsql/pgsql_driver.c:1.47
php-src/ext/pdo_pgsql/pgsql_driver.c:1.48
--- php-src/ext/pdo_pgsql/pgsql_driver.c:1.47 Wed Jul 6 20:52:19 2005
+++ php-src/ext/pdo_pgsql/pgsql_driver.c Wed Jul 6 22:17:20 2005
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: pgsql_driver.c,v 1.47 2005/07/07 00:52:19 iliaa Exp $ */
+/* $Id: pgsql_driver.c,v 1.48 2005/07/07 02:17:20 iliaa Exp $ */
#ifdef HAVE_CONFIG_H
#include "config.h"
@@ -213,11 +213,6 @@
char *q;
ExecStatusType status;
- /* SQL injection protection */
- if (strchr(name, '\'')) {
- return NULL;
- }
-
spprintf(&q, sizeof("SELECT CURRVAL('')") +
strlen(name), "SELECT CURRVAL('%s')", name);
res = PQexec(H->server, q);
efree(q);
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
