Leave it up to the user to decide if to escape the sequence name or not.
What was wrong with the original coding? Can't you juse leave teh
PQescapeString in there?
Chris
http://cvs.php.net/diff.php/php-src/ext/pdo_pgsql/pgsql_driver.c?r1=1.47&r2=1.48&ty=u
Index: php-src/ext/pdo_pgsql/pgsql_driver.c
diff -u php-src/ext/pdo_pgsql/pgsql_driver.c:1.47
php-src/ext/pdo_pgsql/pgsql_driver.c:1.48
--- php-src/ext/pdo_pgsql/pgsql_driver.c:1.47 Wed Jul 6 20:52:19 2005
+++ php-src/ext/pdo_pgsql/pgsql_driver.c Wed Jul 6 22:17:20 2005
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: pgsql_driver.c,v 1.47 2005/07/07 00:52:19 iliaa Exp $ */
+/* $Id: pgsql_driver.c,v 1.48 2005/07/07 02:17:20 iliaa Exp $ */
#ifdef HAVE_CONFIG_H
#include "config.h"
@@ -213,11 +213,6 @@
char *q;
ExecStatusType status;
- /* SQL injection protection */
- if (strchr(name, '\'')) {
- return NULL;
- }
-
spprintf(&q, sizeof("SELECT CURRVAL('')") + strlen(name), "SELECT
CURRVAL('%s')", name);
res = PQexec(H->server, q);
efree(q);
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
