开发者

getting problem in pg_query execution

问答 作者:

When i am running my query 

$dbhost='localhost';
$dbuser='dbuser';
$dbpass='dbpass';
$dbname='dbname';

$conn=pg_connect('host='.$dbhost.' dbname='.$dbname.' user='.$dbuser.' password='.$dbpass); 
if (!$conn) {
  echo "An error occured.\n";
  exit;
}else{
echo "connection occured";
}
echo $conn;


        $insert=pg_query($conn, "Insert into `advertiser_regidetdir` 
        (user_name,domain_name,user_email,publickey,privatekey, refresh_count )
        values('$user','$domain','$email','$pubkey','$pritekey',0)");
        if (!$insert) {
          echo "An error occured.\n";
          exit;
        }

I am getting output somthing like this..开发者_JS百科..... connection occured Resource id #2An error occured. Why this error is coming.

Use the pg_last_error() function to get a more detailed error message like this:

    if (!$insert) {
      echo "An error occured.\n";
      echo pg_last_error($conn);
      exit;
    }


Insert into `advertiser_regidetdir`

Backticks are a MySQL quoting feature that is not part of standard ANSI SQL and not available in other databases. The ANSI syntax for quoting a schema name is double quotes.

It is unfortunate that MySQL interprets double quotes as a synonym for single quotes. If you want to write code that is portable across MySQL and other DBMSs, you'll need to either:

  • use double-quotes for schema names throughout, and on MySQL turn on the sql_mode ANSI_QUOTES feature in order to make it comply with the standard, or
  • avoid quoting schema names altogether. This requires general knowledge of what keywords exist in different DBMSs so you can avoid those words, but certainly advertiser_regidetdir is not a keyword in any DBMS so is quite valid without the quotes.

.

values('$user','$domain','$email','$pubkey','$pritekey',0)

Unless you have already pg_escape_stringed those values, that's a bit old load of SQL injection security horror.

Consider parameterised queries, especially as with the pg module you get pg_query_params which makes it really easy.

Use pg_query_params() to avoid SQL injection and don't use backticks `, these have nothing to do with SQL:

<?php
$dbhost='localhost';
$dbuser='dbuser';
$dbpass='dbpass';
$dbname='dbname';

$conn = pg_connect('host='.$dbhost.' dbname='.$dbname.' user='.$dbuser.' password='.$dbpass); 

if (!$conn) {
  echo "An error occured.\n";
  exit;
}else{
echo "connection occured";
}
echo $conn;

$query = '
    INSERT INTO advertiser_regidetdir
        (user_name,domain_name,user_email,publickey,privatekey, refresh_count )
    VALUES($1, $2, $3, $4, $5, 0)'; // 5 placeholders

$insert = pg_query_params(
            $conn,
            $query,
            array($user, $domain, $email, $pubkey, $pritekey) // array with values
            );

if (!$insert) {
    echo "An error occured.\n";
    exit;
}
?>

继续阅读:phppostgresql

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9