If no list of column names is given at all, the default is all the columns of the table in their declared order or the first N column names, if there are only N columns supplied by the VALUES clause or query. The target column names can be listed in any order. One can insert one or more rows specified by value expressions, or zero or more rows resulting from a query. SQL injection is possible with column names if you use $_POST or something similar as a $array.INSERT inserts new rows into a table. null values are inserted as NULL, bool as true or false and strings are add-shlashed before adding to query string. Next version :) My version checks whether value is bool, null, string or numeric and if one of the values is not function returns false if not. As long as you always use pg_insert() and pg_update() to do your DB work, you're SQL-injection safe AND slash-headache free. So why not get rid of your addslashes() and stripslashes() from all over your code, and turn magic_quotes_gcp off. Why make yourself crazy all over the code, adding slashes, stripping slashes, worrying whether magic_quotes_gpc is on or off and so on and so forth? Why do this, when the only place you actually need those slashes is right when you push the data into the database? There's another alternative, which seems better to me. To solve this, you can use stripslashes() on the data just before using it with pg_insert() or pg_update(). If you have a regular setup with magic_quotes_gcp=On, and you use pg_insert() or pg_update(), you will end up with fields that look as if you used addslashes() twice. This makes them SQL injection super-safe, but there are unwanted consequences, as follows: Getting Started Introduction A simple tutorial Language Reference Basic syntax Types Variables Constants Expressions Operators Control Structures Functions Classes and Objects Namespaces Enumerations Errors Exceptions Fibers Generators Attributes References Explained Predefined Variables Predefined Exceptions Predefined Interfaces and Classes Predefined Attributes Context options and parameters Supported Protocols and Wrappers Security Introduction General considerations Installed as CGI binary Installed as an Apache module Session Security Filesystem Security Database Security Error Reporting User Submitted Data Hiding PHP Keeping Current Features HTTP authentication with PHP Cookies Sessions Dealing with XForms Handling file uploads Using remote files Connection handling Persistent Database Connections Command line usage Garbage Collection DTrace Dynamic Tracing Function Reference Affecting PHP's Behaviour Audio Formats Manipulation Authentication Services Command Line Specific Extensions Compression and Archive Extensions Cryptography Extensions Database Extensions Date and Time Related Extensions File System Related Extensions Human Language and Character Encoding Support Image Processing and Generation Mail Related Extensions Mathematical Extensions Non-Text MIME Output Process Control Extensions Other Basic Extensions Other Services Search Engine Extensions Server Specific Extensions Session Extensions Text Processing Variable and Type Related Extensions Web Services Windows Only Extensions XML Manipulation GUI Extensions Keyboard Shortcuts ? This help j Next menu item k Previous menu item g p Previous man page g n Next man page G Scroll to bottom g g Scroll to top g h Goto homepage g s Goto searchīeware of the following: pg_insert() and pg_update() are adding slashes to all character-like fields they work with.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |