ID: 28199 Updated by: [EMAIL PROTECTED] Reported By: jlawson-php at bovine dot net -Status: Open +Status: Closed Bug Type: Feature/Change Request Operating System: FreeBSD PHP Version: 4.3.6 -Assigned To: +Assigned To: chriskl New Comment:
This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. Believe it or not I just commited an identical function independently. >From the NEWS file: - Added several new functions to support the PostgreSQL v3 protocol introduced in PostgreSQL 7.4. (Christopher) . pg_transaction_status() - in-transaction status of a database connection. . pg_query_params() - execution of parameterized queries. . pg_prepare() - prepare named queries. . pg_execute() - execution of named prepared queries. . pg_send_query_params() - async equivalent of pg_query_params(). . pg_send_prepare() - async equivalent of pg_prepare(). . pg_send_execute() - async equivalent of pg_execute(). . pg_result_error_field() - highly detailed error information, most importantly the SQLSTATE error code. Previous Comments: ------------------------------------------------------------------------ [2004-04-28 04:49:42] jlawson-php at bovine dot net I guess bug attachments aren't supported here. In any case, you can download it from here: http://bugs.distributed.net/attachment.cgi?id=301&action=view (If you case, the enhancement/bug that I developed this patch for at distributed.net is available at http://bugs.distributed.net/show_bug.cgi?id=3643 ) ------------------------------------------------------------------------ [2004-04-28 04:45:34] jlawson-php at bovine dot net Description: ------------ Using bound parameters when executing SQL commands should be encouraged, since use of it for all substitutable variables will eliminate most SQL injection types of attacks. Although some of the database providers in PHP already provide ways to prepare/execute queries with substituted parameters, not all of them do. The "pgsql" PHP extension for PostgreSQL does not include any existing way, so I have implemented a new pg_query_params() function that allows you to do this in a single function call. Note that this my new method has chosen not follow the style of providing two separate prepare/execute functions for bound parameter execution. This is because with PostgreSQL it would require the user to use a significantly different SQL query format and assign the prepared query a session-unique name, making it much more cumbersome to use. ie: "PREPARE mystmt(text,int,float8) AS insert into abc values($1,$2,$3)" instead of just "insert into abc values($1,$2,$3)" PostgreSQL requires that parameter binding uses numbered placeholders ($1, $2, $3, etc) instead of just an unlabelled "?", that is common for the other providers (like ODBC). The PQexecParams() pqlib function that I depend on is unfortunately only available in PostgreSQL 7.4, so some autoconf checks will need to be added before integrating my new function into PHP. Reproduce code: --------------- A patch including my new extension function will be attached later. However sample code that uses my function might be: $params = array("joe's place", 22, 123.4); pg_query_params("insert into abc values($1,$2,$3)", $params); Expected result: ---------------- n/a Actual result: -------------- n/a ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=28199&edit=1
