PHP :: Request #28199 :: Add way to execute pgsql queries with sql bound parameters

Add way to execute pgsql queries with sql bound parameters

Submitted:

2004-04-28 04:45 UTC

Modified:

2005-03-21 09:23 UTC

Votes:	5
Avg. Score:	5.0 ± 0.0
Reproduced:	5 of 5 (100.0%)
Same Version:	4 (80.0%)
Same OS:	4 (80.0%)

From:

jlawson-php at bovine dot net

Assigned:

chriskl (profile)

Status:

Closed

Package:

Feature/Change Request

PHP Version:

4.3.6

OS:

FreeBSD

Private report:

CVE-ID:

None

View Developer Edit

[2004-04-28 04:45 UTC] jlawson-php at bovine dot net

Description:
------------
Using bound parameters when executing SQL commands should be encouraged, since use of it for all substitutable variables will eliminate most SQL injection types of attacks.

Although some of the database providers in PHP already provide ways to prepare/execute queries with substituted parameters, not all of them do.  The "pgsql" PHP extension for PostgreSQL does not include any existing way, so I have implemented a new pg_query_params() function that allows you to do this in a single function call.

Note that this my new method has chosen not follow the style of providing two separate prepare/execute functions for bound parameter execution.  This is because with PostgreSQL it would require the user to use a significantly different SQL query format and assign the prepared query a session-unique name, making it much more cumbersome to use.  ie: "PREPARE mystmt(text,int,float8) AS insert into abc values($1,$2,$3)" instead of just "insert into abc values($1,$2,$3)"

PostgreSQL requires that parameter binding uses numbered placeholders ($1, $2, $3, etc) instead of just an unlabelled "?", that is common for the other providers (like ODBC).

The PQexecParams() pqlib function that I depend on is unfortunately only available in PostgreSQL 7.4, so some autoconf checks will need to be added before integrating my new function into PHP.

Reproduce code:
---------------
A patch including my new extension function will be attached later.  However sample code that uses my function might be:

$params = array("joe's place", 22, 123.4);
pg_query_params("insert into abc values($1,$2,$3)", $params);


Expected result:
----------------
n/a

Actual result:
--------------
n/a

Patches

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-04-28 04:49 UTC] jlawson-php at bovine dot net

I guess bug attachments aren't supported here.  In any case, you can download it from here:

http://bugs.distributed.net/attachment.cgi?id=301&action=view

(If you case, the enhancement/bug that I developed this patch for at distributed.net is available at http://bugs.distributed.net/show_bug.cgi?id=3643 )

[2005-03-21 09:23 UTC] chriskl@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Believe it or not I just commited an identical function independently.  From the NEWS file:

- Added several new functions to support the PostgreSQL v3 protocol introduced
  in PostgreSQL 7.4. (Christopher)
  . pg_transaction_status() - in-transaction status of a database connection.
  . pg_query_params() - execution of parameterized queries.
  . pg_prepare() - prepare named queries.
  . pg_execute() - execution of named prepared queries.
  . pg_send_query_params() - async equivalent of pg_query_params().
  . pg_send_prepare() - async equivalent of pg_prepare().
  . pg_send_execute() - async equivalent of pg_execute().
  . pg_result_error_field() - highly detailed error information,
    most importantly the SQLSTATE error code.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Aug 15 19:01:28 2024 UTC