I am just doing some playing around with PHP to learn how to avoid SQL injection attacks.
It has been mentioned in a few places that pg_query_params is supposed to protect from sql injection without needing to mess around escaping quotes and things.
However, I was still able to get it to drop a table by feeding in this input "1; drop table results" to the following statement:
$r = pg_query_params($p, 'select * from results where res_id = $1', array($input));
Everyone keeps repeating the same "pg_query_params is safe from SQL injection", but surely someone else must have actually tried it? Where am I going wrong?
I am using Postgresql 8.3 for OS X on 10.5.2, and MAMP which has PHP Version 5.2.5.
Thanks
Kevin
--
Sent via pgsql-php mailing list (pgsql-php@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-php
No comments:
Post a Comment