El día 19 de octubre de 2011 23:20, Jeff Davis <pgsql@xxxxxxxxxxx> escribió: > On Wed, 2011-10-19 at 14:30 -0300, Martín Marqués wrote: >> The only concern I have is that on insertion, I get this WARNING: >> >> WARNING: nonstandard use of \\ in a string literal at character 41 >> HINT: Use the escape string syntax for backslashes, e.g., E'\\'. >> >> Should I worry? What does it mean? > > First of all, the best solution is to use parameterized queries: > > http://us.php.net/manual/en/function.pg-query-params.php How would that work with abstraction layers like MDB2 or PDO? > But here's the explanation for the warning: > > Check the settings for: > > SHOW standard_conforming_strings; > SHOW escape_string_warning; > > I assume that those are false and true respectively. If that's the case, > you are safe, HOWEVER it means that you are using non-standard literals. They are exactly that way. > It's advisable to move to standard string literals (that is, as the SQL > spec defines them) because if you port your application to other systems > in the future, or if you later turn standard_conforming_strings to TRUE, > then you could be vulnerable to SQL injection. The only place I get these messages are when inserting (or updateing) bytea columns with images (normally jpeg and png). This is done in this way: $foto = file_get_contents($myFile); $escapado = pg_escape_bytea($foto); // $db is a MDB2 object conecting to PG $db->exec("INSERT INTO fotos VALUES ('{$escapado}')); > To become standards-compliant, set standard_conforming_strings to TRUE, > and pg_escape_bytea should automatically start working in the standard > way. It is advisable to explicitly pass the connection object (first > parameter) to pg_escape_bytea() to make sure no mistakes are made. Try > it out with a few test strings to make sure it's using the correct > escaping, see: OK, so I'd have to do something like: $escapado = pg_escape_bytea($db->connection, $foto); But setting standard_conforming_strings to TRUE first. If I don't change the value of standard_conforming_strings, what does pg_escape_bytea do different? -- Martín Marqués select 'martin.marques' || '@' || 'gmail.com' DBA, Programador, Administrador -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
