Page 1 of 1

postsql with placeholder for php

Posted: Fri Aug 24, 2007 3:14 am
by johnhelen
Hello

I have a simple query like:

$dbconn = pg_Connect("dbname=abc user=abc");

$query = "SELECT * FROM subscriber where subscriber.id = $id";
$result = pg_exec($query);
...

It can be seen that I have $id in the query and this is not a good practice. I want to have a placeholder like this:

$query = "SELECT * FROM subscriber where subscriber.id = ?";

How I can rewrite the code above

Many thanks

john

The problem is

Posted: Fri Aug 24, 2007 3:38 am
by johnhelen
My problem is I use very old version of php and postgres
php: 4.1
postgres 7.2
So I cannot use pg_prepare function

Any suggestion??

Posted: Fri Aug 24, 2007 7:20 am
by Begby
You can look into PearDB as that should do that for you.

However, it is safe to put a variable in your query as long as you properly escape your variables. You will just need to do it manually.

Thanks but

Posted: Fri Aug 24, 2007 3:30 pm
by johnhelen
Hello
> it is safe to put a variable in your query as long as you properly escape your variables

how I can do that as I want to avoid the SQL injection problem

Thanks

Posted: Fri Aug 24, 2007 4:20 pm
by feyd

Posted: Fri Aug 24, 2007 10:24 pm
by johnhelen
pg_escape_string() possibly.

this function is for php>=4.2

Posted: Fri Aug 24, 2007 10:37 pm
by s.dot
It is recommended that you upgrade your PHP version, if at all possible. PHP4 will not be actively supported for very much longer.

Try addslashes().