Valid options are PGSQL_DML_NO_CONV, PGSQL_DML_EXEC, PGSQL_DMP_ASYNC, PGSQL_DML_STRING (pulled out of source code).
This function does not support selecting from multiple tables. You can get around this by setting the PGSQL_DML_NO_CONV option. This prevents the error which occurs when the function tries to convert the condition array.
I think it is also important to point out that the table_name field is not safe, particularily with the PGSQL_DML_NO_CONV option.
The arguements array field is compulsory, as documented. What isn't so clear is that the array has to actually have some values in it, you can't do a select all.
In summary, this function is good for a very small subset of basic queries. If you are after anything more complex you are better off with pg_query.
pg_select
(PHP 4 >= 4.3.0, PHP 5, PHP 7)
pg_select — Select records
Descrierea
pg_select
( resource
$connection
, string $table_name
, array $assoc_array
, int $options = PGSQL_DML_EXEC
, int $result_type = PGSQL_ASSOC
) : mixed
pg_select() selects records specified by
assoc_array which has
field=>value. For a successful query, it returns an
array containing all records and fields that match the condition
specified by assoc_array.
If options is specified,
pg_convert() is applied to
assoc_array with the specified flags.
By default pg_select() passes raw values. Values must be escaped or PGSQL_DML_ESCAPE option must be specified. PGSQL_DML_ESCAPE quotes and escapes parameters/identifiers. Therefore, table/column names became case sensitive.
Note that neither escape nor prepared query can protect LIKE query, JSON, Array, Regex, etc. These parameters should be handled according to their contexts. i.e. Escape/validate values.
Parametri
-
connection -
PostgreSQL database connection resource.
-
table_name -
Name of the table from which to select rows.
-
assoc_array -
An array whose keys are field names in the table
table_name, and whose values are the conditions that a row must meet to be retrieved. -
options -
Any number of
PGSQL_CONV_FORCE_NULL,PGSQL_DML_NO_CONV,PGSQL_DML_ESCAPE,PGSQL_DML_EXEC,PGSQL_DML_ASYNCorPGSQL_DML_STRINGcombined. IfPGSQL_DML_STRINGis part of theoptionsthen query string is returned. WhenPGSQL_DML_NO_CONVorPGSQL_DML_ESCAPEis set, it does not call pg_convert() internally.
Valorile întoarse
Întoarce valoarea true în cazul
succesului sau false în cazul eșecului. Returns string if PGSQL_DML_STRING is passed
via options.
Exemple
Example #1 pg_select() example
<?php
$db = pg_connect('dbname=foo');
// This is safe somewhat, since all values are escaped.
// However PostgreSQL supports JSON/Array. These are not
// safe by neither escape nor prepared query.
$rec = pg_select($db, 'post_log', $_POST, PG_DML_ESCAPE);
if ($rec) {
echo "Records selected\n";
var_dump($rec);
} else {
echo "User must have sent wrong inputs\n";
}
?>
Istoricul schimbărilor
| Versiune | Descriere |
|---|---|
| 7.1.0 |
The result_type parameter was added.
|
| 5.6.0 |
No longer experimental. Added PGSQL_DML_ESCAPE constant,
true/false and null data type support.
|
| 5.5.3/5.4.19 |
Direct SQL injection to table_name and Indirect SQL
injection to identifiers are fixed.
|
A se vedea și
- pg_convert() - Convert associative array values into forms suitable for SQL statements
add a note
User Contributed Notes 2 notes
david dot tulloh at infaze dot com dot au ¶
19 years ago
wietse at cj2 dot nl ¶
18 years ago
David mentioned that you can't do a Select all.
However, when executing this script:
<?php
$conn_string = "dbname=mydb";
$db = pg_connect($conn_string);
$selectfields = array("imgid" => "");
$records = pg_select($db,"mmsfiles",$selectfields);
print_r($records);
?>
...I get this result:
Array
(
[0] => Array
(
[imgid] => 1
[file] => /home/wietse/public_html/mms/images/1.gif
[thumb] =>
)
[1] => Array
(
[imgid] => 2
[file] => /home/wietse/public_html/mms/images/2.gif
[thumb] =>
)
[2] => Array
(
[imgid] => 3
[file] => /home/wietse/public_html/mms/images/3.gif
[thumb] =>
)
[3] => Array
(
[imgid] => 4
[file] => /home/wietse/public_html/mms/images/4.gif
[thumb] =>
)
)
