Jump to content

Safe inserts?


Recommended Posts

This seems like something that should be easy to find, but I've been searching for a week for an answer.


I've got a site that has a public form that is filled out by unknown people.


I want to make sure my database and information is as safe as possible from attacks.


So I've got my form data in the post array. I need to check it to make it sure it is valid.


I've got most of that down.


But then what?


How do I get the information into my database in an efficient but secure way?

Link to comment
Share on other sites

You can use pg_escape_string on the date, then enclose it with single quotes.  Something like this:


$sql = "INSERT INTO tab (col1) VALUES (E'" . pg_escape_string($data) . "')";


The "E" says that there's an escaped string following.  You can leave it out and it'll generally work, but newer versions of postgres will generate a warning.


For data that should be a specific data type (such as an integer), you can filter the string so it only contains digits, for example.

Link to comment
Share on other sites

[code=php:0]$sql = "INSERT INTO tab (col1) VALUES (E'" . pg_escape_string($data) . "')";





So would I repeat this line for each column? I've got about 30 columns.


Or could I do a loop on something like:


[code=php:0]$sql = "INSERT INTO tab ($key) VALUES (E'" . pg_escape_string($data) . "')";



Link to comment
Share on other sites

Columns get added all with one statement.  For example:


$sql = "INSERT INTO tab (col1, col2, col3) VALUES (E'" . pg_escape_string($col1_data) . "', E'" . pg_escape_string($col2_data) . "', E'" . pg_escape_string($col3_data) . "')";


If you need to add multiple rows, then you should use a loop for that.  Just not for the columns (at least not normally)

Link to comment
Share on other sites

pg_insert()?  I didn't know that existed :)


Judging by the comment in the example in the php docs, it's injection safe.  But the function is also labelled as experimental :)


Anyway if it IS telling the truth and it is safe, then you definitely must NOT call pg_escape_string() yourself, as otherwise you'll get your strings escaped twice.  That's a real hassle when that happens.

Link to comment
Share on other sites

Yeah I removed the pg_escape_string after I checked my data


I've been testing pg_insert and pg_update and both have been working so far.


Still need to build in my verification and some other security stuff but basically taking running the two on $_POST works(key names need to match column names)

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.