Re: Select Where using character varying ??

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



> I think you should try:
> $Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name 
> =\"$Sem\"");

Double quotes are for quoting column names, not string constants.

> $Sem_No = pg_Exec($conn,"SELECT seminar_id FROM seminar WHERE name 
> ='$Sem'");

Better, but all strings, especially provided by some user, should be
treated by the function pg_escape_string.

Consider that some user types in a form field a text like this:

'; delete from seminar where ''='

When you add single quotes you get two valid queries. One of them is
what you would never want to be executed ;-)

And, by the way - pg_exec is a deprecated name AFAIK. The new one is
pg_query.


-- 
Ceterum censeo Internet Explorer esse delendam.

Attachment: pgpEMCWofXw6K.pgp
Description: PGP signature


[Index of Archives]     [Postgresql General]     [Postgresql Admin]     [PHP Users]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Databases]     [Yosemite Backpacking]     [Postgresql Jobs]

  Powered by Linux