Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:56468 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 96325 invoked from network); 22 Nov 2011 21:43:11 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 22 Nov 2011 21:43:11 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.170 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.160.170 mail-gy0-f170.google.com Received: from [209.85.160.170] ([209.85.160.170:43069] helo=mail-gy0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 96/D4-60398-D671CCE4 for ; Tue, 22 Nov 2011 16:43:09 -0500 Received: by ghrr20 with SMTP id r20so730641ghr.29 for ; Tue, 22 Nov 2011 13:43:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=bNQx+UCDlYMxtT11g5cyDOwkrecOsppU9zdISaYvg/Y=; b=Cd5OmT+OS8IozHN31i3LkAMu4b702dumt57iqXRdfw8Ooz2M+jkwMj3yuuwD9/55tq KD9cYy6vbj1bHRR98gl0gg9NaZogr1fWbi9eZcsG4FSsd58IlgSvIb1O66x0OB4gItPI yh4ej+MuJ1RI9t5Sf74oKGTU68/pPut56Vg28= Received: by 10.236.76.136 with SMTP id b8mr31469147yhe.9.1321998186091; Tue, 22 Nov 2011 13:43:06 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.100.127.18 with HTTP; Tue, 22 Nov 2011 13:42:25 -0800 (PST) In-Reply-To: References: Date: Wed, 23 Nov 2011 06:42:25 +0900 X-Google-Sender-Auth: jcb_Ov5_goMF3dZNvrxu6nTxIv0 Message-ID: To: Rafael Kassner Cc: internals@lists.php.net Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [PHP-DEV] pg_escape_literal(), pg_escape_identifier() patch From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi, Thanks for the comments. 2011/11/22 Rafael Kassner : > I've ported everything > to UTF-8 (this included rewrite a 8 years old application). I guess > this is a good implementation, considering that many people still use > old PostgreSQL versions. I think so, too. Database server's (and it's code) life is very long. > About pg_escape_identifier, fixes this an old problem when we use some> reserved column names, like "login"? Any words(valid chars) can be used with pg_escape_identifier() 2011/11/23 Daniel Convissor : > Regarding pg_escape_literal(), which implements PQescapeLiteral, it is > very similar to PHP's pg_esacpe_string(), implementing > PQescapeStringConn. What is the benefit of adding this new function? pg_escape_literal() does the basically the same thing as pg_escape_string(), except it does more strict escaping (e.g. E'escaped string') and it adds quotes around string automatically. We can think of it as fool safe escape function. Following link is the example code. I tested with PostgreSQL 8.4 and it's libpq. https://gist.github.com/1387033 I think these functions are very useful for securing PHP applications using PostgreSQL. Especially, applications that needs to use DDL. Is there any objections or comments committing it to trunk? If not, I'll commit it to trunk. It's nice to have feature for PHP 5.4. It's purely an addition to pgsql module. Therefore, it has no side effect for existing feature. 5.4.0 is in RC, but it may be ok for PHP 5.4.1, I guess. -- Yasuo Ohgaki yohgaki@ohgaki.net