by desoi@[EMAIL PROTECTED]
(John DeSoi)
Mar 9, 2008 at 07:24 PM
On Mar 7, 2008, at 1:21 PM, Mary Anderson wrote:
> I know I should be using pg_prepare/pg_execute to make my PHP -
> postgres code more secure. But I am wondering just what I can put
> in for parameters: Here is a brief checklist:
>
> 1. values for inserted columns OK
> 2. names of inserted columns ????
> 3. names of tables ????
> 4. A whole select list e.g. "fu, bar" NOT OK
>
> My application is a bit more complex than the ones shown in the
> books and manuals. My data comes in as a large number of individual
> tables which are sort of related (worldwide mortality statistics)
> but which have widely differing table structures. So I am always
> creating tem****ary tables to handle data input and output, and these
> tables have variable column structure.
Values only. But you can still generate your SQL dynamically for
creating prepared statements to handle variable table and column
names. The im****tant part is to parameterize values to secure any data
coming from outside sources.
John DeSoi, Ph.D.
--
Sent via pgsql-novice mailing list (pgsql-novice@[EMAIL PROTECTED]
)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-novice
