来自php的postgresql查询 - pg_query_params()期望参数1为资源,给定

时间:2018-01-10 10:17:04

标签: php postgresql

PHP版本:7 Postgres版本:9.6

我们正在开发一个向postgres数据库发送查询的Web应用程序,目前我正在更新一些易受sql注入攻击的查询。但是,使用pg_query_params函数时,我收到错误

pg_query_params() expects parameter 1 to be resource, null given

这会引用第二个参数,对吗?但它绝对不是null,它是一个表示sql查询的字符串。这是我们的PHP代码(我知道$FeatureCollection仍在连接,因此SQL注入漏洞,但修复此代码涉及更多步骤):

$conn = dbconn();

$from = $_POST['from']; //node id of the 'from' location, passed from ajax
$to = $_POST['to']; //node id of the 'to' location, passed from ajax

$sql = 'SELECT json_build_object(
        \'type\',       \'FeatureCollection\',
        \'features\',   jsonb_agg(feature)
    )
    FROM (
        SELECT json_build_object(
            \'type\',       \'Feature\',
            \'id\',         edge,
            \'geometry\',   ST_AsGeoJSON(the_geom)::json,
            \'properties\', to_jsonb(row) - \'id\' - \'geom\'
    ) AS
        feature
    FROM
        (
            SELECT * FROM pgr_nogo_dijkstra(
                    \'SELECT gid AS id, source, target, cost, reverse_cost, the_geom AS geom FROM ways\',
                    (
                        SELECT
                            ST_SetSRID(ST_Union(ST_GeomFromGeoJSON(feat->>\'geometry\')), 4326)
                        FROM (
                            SELECT json_array_elements(
                                \'{
                                    "type": "FeatureCollection",
                                    "crs": { "type": "name", "properties": { "name": "urn:ogc:def:crs:OGC:1.3:CRS84" } },
                                    "features":
                                        ['.$FeatureCollection.'] // still vulnerable, will be fixed later
                                }\'
                                ::json->\'features\'
                            ) AS
                                feat
                        ) AS
                            f
                    ),
                    $1,
                    $2,
                    TRUE
                ) AS route_result
            INNER JOIN
                ways
            ON
                ways.gid = route_result.edge
        )
    row) features;
    ';

result = pg_query_params( $conn, $sql, array($from, $to) ) or die('Query Failed: ' .pg_last_error());

$sql绝对不是空的,它是事先定义的。当我们刚刚使用字符串连接和pg_query()时,查询工作正在进行,所以我不确定是什么让pg_query_params()失败了。

编辑:我也不应该dbconn()引用从另一个php文件导入的另一个函数:

function dbconn(){

        ini_set('display_errors', 1); // Dispalys errors
        // fetch config params
        $config = file_get_contents('../config.json');
        $json = json_decode($config, true);
        //echo $json['db_host'];


        //database login info
        $host = $json['db_host'];
        $port = $json['db_port'];
        $dbname = $json['db_name'];
        $user = $json['db_user'];
        $password = $json['db_pwd'];
        // establish connection         
        $conn = pg_connect("host=$host port=$port dbname=$dbname user=$user password=$password");
        if (!$conn) {
            echo "Not connected : " . pg_error();
            exit;
        }
    }

1 个答案:

答案 0 :(得分:0)

好的:没有参数1不是第二个参数是第一个参数。 你的dbconn函数没有返回连接。

添加

return $conn;

在你的dbconn函数结束时你应该没问题。

相关问题
最新问题