Search Postgresql Archives

Re: SQL injection, php and queueing multiple statement

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Ivan Sergio Borgonovo <mail@xxxxxxxxxxxxxxx> writes:
> Tom Lane <tgl@xxxxxxxxxxxxx> wrote:
>> Use prepared statements.

> Yeah... but how can I effectively enforce the policy that ALL input
> will be passed through prepared statements?

Modify the PHP code (at whatever corresponds to the DBD layer)
to always use PQexecParams, never PQexec, even when you don't
have any parameters.

			regards, tom lane
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]
  Powered by Linux