FAQ
Hi,
I know I should be using pg_prepare/pg_execute to make my PHP -
postgres code more secure. But I am wondering just what I can put in
for parameters: Here is a brief checklist:

1. values for inserted columns OK
2. names of inserted columns ????
3. names of tables ????
4. A whole select list e.g. "fu, bar" NOT OK

My application is a bit more complex than the ones shown in the books
and manuals. My data comes in as a large number of individual tables
which are sort of related (worldwide mortality statistics) but which
have widely differing table structures. So I am always creating
temporary tables to handle data input and output, and these tables have
variable column structure.

Thanks in advance
Mary

Search Discussions

  • John DeSoi at Mar 10, 2008 at 12:31 am

    On Mar 7, 2008, at 1:21 PM, Mary Anderson wrote:

    I know I should be using pg_prepare/pg_execute to make my PHP -
    postgres code more secure. But I am wondering just what I can put
    in for parameters: Here is a brief checklist:

    1. values for inserted columns OK
    2. names of inserted columns ????
    3. names of tables ????
    4. A whole select list e.g. "fu, bar" NOT OK

    My application is a bit more complex than the ones shown in the
    books and manuals. My data comes in as a large number of individual
    tables which are sort of related (worldwide mortality statistics)
    but which have widely differing table structures. So I am always
    creating temporary tables to handle data input and output, and these
    tables have variable column structure.

    Values only. But you can still generate your SQL dynamically for
    creating prepared statements to handle variable table and column
    names. The important part is to parameterize values to secure any data
    coming from outside sources.



    John DeSoi, Ph.D.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppgsql-novice @
categoriespostgresql
postedMar 7, '08 at 6:21p
activeMar 10, '08 at 12:31a
posts2
users2
websitepostgresql.org
irc#postgresql

2 users in discussion

John DeSoi: 1 post Mary Anderson: 1 post

People

Translate

site design / logo © 2022 Grokbase