Re: [PHP-CVS] cvs: php-src /ext/pdo_pgsql pgsql_driver.c

Thu, 07 Jul 2005 06:23:47 -0700 

How about using a stack variable for this temporary allocation?

On 7/7/05, Ilia Alshanetsky <[EMAIL PROTECTED]> wrote:
> Edink,
> 
> It is malloc + PQescapeString + free, which in most cases are completely
> unnecessary. While as Christopher demonstrates sequence name could
> contain special chars, I'd wager that is a VERY uncommon situation.
> 
> Ilia
> 
> Edin Kadribasic wrote:
> > Hi Ilia,
> >
> > Would you please revert this change?
> >
> > Saving one malloc/free in a function that has to query DB server anyway is 
> > not
> > going to give you much performance improvement, while other methods are not
> > portable across different PostgreSQL versions.
> >
> > Edin
> >
> > On Thursday 07 July 2005 02:52, Ilia Alshanetsky wrote:
> >
> >>iliaa  Wed Jul  6 20:52:20 2005 EDT
> >>
> >>  Modified files:
> >>    /php-src/ext/pdo_pgsql pgsql_driver.c
> >>  Log:
> >>  Faster sequence id retrieval.
> >>
> >>
> >>
> >>http://cvs.php.net/diff.php/php-src/ext/pdo_pgsql/pgsql_driver.c?r1=1.46&r2
> >>=1.47&ty=u Index: php-src/ext/pdo_pgsql/pgsql_driver.c
> >>diff -u php-src/ext/pdo_pgsql/pgsql_driver.c:1.46
> >>php-src/ext/pdo_pgsql/pgsql_driver.c:1.47 ---
> >>php-src/ext/pdo_pgsql/pgsql_driver.c:1.46 Fri Jul  1 18:43:16 2005 +++
> >>php-src/ext/pdo_pgsql/pgsql_driver.c Wed Jul  6 20:52:19 2005
> >>@@ -16,7 +16,7 @@
> >>   +----------------------------------------------------------------------+
> >> */
> >>
> >>-/* $Id: pgsql_driver.c,v 1.46 2005/07/01 22:43:16 edink Exp $ */
> >>+/* $Id: pgsql_driver.c,v 1.47 2005/07/07 00:52:19 iliaa Exp $ */
> >>
> >> #ifdef HAVE_CONFIG_H
> >> #include "config.h"
> >>@@ -210,15 +210,16 @@
> >>              *len = spprintf(&id, 0, "%ld", (long) H->pgoid);
> >>      } else {
> >>              PGresult *res;
> >>-             char *name_escaped, *q;
> >>-             size_t l = strlen(name);
> >>+             char *q;
> >>              ExecStatusType status;
> >>
> >>-             name_escaped = safe_emalloc(l, 2, 1);
> >>-             PQescapeString(name_escaped, name, l);
> >>-             spprintf(&q, 0, "SELECT CURRVAL('%s')", name_escaped);
> >>+             /* SQL injection protection */
> >>+             if (strchr(name, '\'')) {
> >>+                     return NULL;
> >>+             }
> >>+
> >>+             spprintf(&q, sizeof("SELECT CURRVAL('')") + strlen(name), 
> >>"SELECT
> >>CURRVAL('%s')", name); res = PQexec(H->server, q);
> >>-             efree(name_escaped);
> >>              efree(q);
> >>              status = PQresultStatus(res);
> >
> >
> >
> 
> --
> PHP CVS Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
>

--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to