Re: Select Where using character varying ??
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
On Tuesday 03 October 2006 16:03, Mariusz Pękala wrote:
> > I think you should try:
> > $Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name
> > =\"$Sem\"");
>
> Double quotes are for quoting column names, not string constants.
>
> > $Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name
> > ='$Sem'");
>
> Better, but all strings, especially provided by some user, should be
> treated by the function pg_escape_string.
>
> Consider that some user types in a form field a text like this:
>
> '; delete from seminar where ''='
>
> When you add single quotes you get two valid queries. One of them is
> what you would never want to be executed ;-)
>
> And, by the way - pg_exec is a deprecated name AFAIK. The new one is
> pg_query.
probably even better would be to use pg_prepare and pg_execute.
--
Robert Treat
Build A Brighter LAMP :: Linux Apache {middleware} PostgreSQL
[Postgresql General]
[Postgresql Admin]
[PHP Users]
[PHP Home]
[PHP on Windows]
[Kernel Newbies]
[PHP Classes]
[PHP Databases]
[Yosemite Backpacking]
[Postgresql Jobs]
