Edink,
It is malloc + PQescapeString + free, which in most cases are completely
unnecessary. While as Christopher demonstrates sequence name could
contain special chars, I'd wager that is a VERY uncommon situation.
Ilia
Edin Kadribasic wrote:
Hi Ilia,
Would you please revert this change?
Saving one malloc/free in a function that has to query DB server anyway is not
going to give you much performance improvement, while other methods are not
portable across different PostgreSQL versions.
Edin
On Thursday 07 July 2005 02:52, Ilia Alshanetsky wrote:
iliaa Wed Jul 6 20:52:20 2005 EDT
Modified files:
/php-src/ext/pdo_pgsql pgsql_driver.c
Log:
Faster sequence id retrieval.
http://cvs.php.net/diff.php/php-src/ext/pdo_pgsql/pgsql_driver.c?r1=1.46&r2
=1.47&ty=u Index: php-src/ext/pdo_pgsql/pgsql_driver.c
diff -u php-src/ext/pdo_pgsql/pgsql_driver.c:1.46
php-src/ext/pdo_pgsql/pgsql_driver.c:1.47 ---
php-src/ext/pdo_pgsql/pgsql_driver.c:1.46 Fri Jul 1 18:43:16 2005 +++
php-src/ext/pdo_pgsql/pgsql_driver.c Wed Jul 6 20:52:19 2005
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: pgsql_driver.c,v 1.46 2005/07/01 22:43:16 edink Exp $ */
+/* $Id: pgsql_driver.c,v 1.47 2005/07/07 00:52:19 iliaa Exp $ */
#ifdef HAVE_CONFIG_H
#include "config.h"
@@ -210,15 +210,16 @@
*len = spprintf(&id, 0, "%ld", (long) H->pgoid);
} else {
PGresult *res;
- char *name_escaped, *q;
- size_t l = strlen(name);
+ char *q;
ExecStatusType status;
- name_escaped = safe_emalloc(l, 2, 1);
- PQescapeString(name_escaped, name, l);
- spprintf(&q, 0, "SELECT CURRVAL('%s')", name_escaped);
+ /* SQL injection protection */
+ if (strchr(name, '\'')) {
+ return NULL;
+ }
+
+ spprintf(&q, sizeof("SELECT CURRVAL('')") + strlen(name),
"SELECT
CURRVAL('%s')", name); res = PQexec(H->server, q);
- efree(name_escaped);
efree(q);
status = PQresultStatus(res);
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php