Re: pg_[un]escape_bytea, pgsql 8.2.1, php 5.1.6, Linux
| От | ljb |
|---|---|
| Тема | Re: pg_[un]escape_bytea, pgsql 8.2.1, php 5.1.6, Linux |
| Дата | |
| Msg-id | eq8om3$4om$1@news.hub.org обсуждение исходный текст |
| Ответ на | pg_[un]escape_bytea, pgsql 8.2.1, php 5.1.6, Linux ("Gary Chambers" <gwchamb@gmail.com>) |
| Список | pgsql-php |
vdephily@bluemetrix.com wrote:
>...
> I think you can instead use prepared statements via SQL directly (as php
> probably does in the end) :
>
> // initialisation
> pg_query('PREPARE mystatement (bytea) AS INSERT INTO mytable (bd) VALUES
> ($1);');
> // insert loop
> pg_query("EXECUTE mystatement (' . pg_escape_bytea($data) . "');");
>
> Annoying to have to do all this yourself, but it should work (and it *is* a
> parameterized query).
It's sort of a parameterized query, but not really in the sense the
original poster wants. That is, it does not protect against SQL injection
attacks the way a true parameterized query does (with the variable data
passed outside of the SQL statement itself, and not subject to SQL
parsing). If some way around pg_escape_bytea were to be found (as perhaps
happened before with multi-byte characters and PQescapeString), the above
could be vulnerable. In fact I don't see where it is any safer than
just doing pg_query("INSERT ... '" . pg_escape_bytea($data) . "')");
В списке pgsql-php по дате отправления: