Re: problem with single quote in postgres 8.3.5

Поиск
Список
Период
Сортировка
От David Fetter
Тема Re: problem with single quote in postgres 8.3.5
Дата
Msg-id 20090307180222.GA11100@fetter.org
обсуждение исходный текст
Ответ на problem with single quote in postgres 8.3.5  (hugocoolens <hugocoolens@gmail.com>)
Список pgsql-general
Дерево обсуждения 
On Sat, Mar 07, 2009 at 05:53:21AM -0800, hugocoolens wrote:
> I have a little php-script to  help me learn foreign languages
> In my php-code I have the following line:
> $query="update wordlist set known=true where dutch='".$preceding."'";

With this kind of line, you are inviting an SQL injection as
illustrated below:

http://xkcd.com/327/

Instead, use pg_prepare() and pg_execute() for this kind of thing.

Cheers,
David.
--
David Fetter <david@fetter.org> http://fetter.org/
Phone: +1 415 235 3778  AIM: dfetter666  Yahoo!: dfetter
Skype: davidfetter      XMPP: david.fetter@gmail.com

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate

В списке pgsql-general по дате отправления:

Предыдущее
От: Raymond O'Donnell
Дата:
Сообщение: Re: problem with single quote in postgres 8.3.5
Следующее
От: John R Pierce
Дата:
Сообщение: Re: VACUUM