Re: Escaping strings for inclusion into SQL queries - Mailing list pgsql-hackers

From Mitch Vincent
Subject Re: Escaping strings for inclusion into SQL queries
Date
Msg-id 002301c131bc$193c7610$be615dd8@mitch
Whole thread Raw
In response to Re: Escaping strings for inclusion into SQL queries  (Alex Pilosov <alex@pilosoft.com>)
List pgsql-hackers
Ok, I misudnerstood, I had long included my own escaping function in
programs that used libpq, I thought the intent was to make escaping happen
automatically..

Thanks!

-Mitch

----- Original Message -----
From: "Alex Pilosov" <alex@pilosoft.com>
To: "Mitch Vincent" <mvincent@cablespeed.com>
Cc: <pgsql-hackers@postgresql.org>
Sent: Thursday, August 30, 2001 7:32 PM
Subject: Re: [HACKERS] Escaping strings for inclusion into SQL queries


> It is. Application is responsible to call PGescapeString (included in the
> patch in question) to escape command that may possibly have user-specified
> data... This function isn't called automatically.
>
> On Thu, 30 Aug 2001, Mitch Vincent wrote:
>
> > Perhaps I'm not thinking correctly but isn't it the job of the
application
> > that's using the libpq library to escape special characters? I guess I
don't
> > see a down side though, if it's implemented correctly to check and see
if
> > characters are already escaped before escaping them (else major breakage
of
> > existing application would occur).. I didn't see the patch but I assume
that
> > someone took a look to make sure before applying it.
> >
> >
> > -Mitch
> >
> > ----- Original Message -----
> > From: "Bruce Momjian" <pgman@candle.pha.pa.us>
> > To: "Florian Weimer" <Florian.Weimer@rus.uni-stuttgart.de>
> > Cc: <pgsql-hackers@postgresql.org>
> > Sent: Thursday, August 30, 2001 6:43 PM
> > Subject: Re: [HACKERS] Escaping strings for inclusion into SQL queries
> >
> >
> > > > Florian Weimer <Florian.Weimer@rus.uni-stuttgart.de> writes:
> > > >
> > > > > We therefore suggest that a string escaping function is included
in a
> > > > > future version of PostgreSQL and libpq.  A sample implementation
is
> > > > > provided below, along with documentation.
> > > >
> > > > We have now released a description of the problems which occur when
a
> > > > string escaping function is not used:
> > > >
> > > > http://cert.uni-stuttgart.de/advisories/apache_auth.php
> > > >
> > > > What further steps are required to make the suggested patch part of
> > > > the official libpq library?
> > >
> > > Will be applied soon.  I was waiting for comments before adding it to
> > > the patch queue.
> >
> >
> >
> > ---------------------------(end of broadcast)---------------------------
> > TIP 6: Have you searched our list archives?
> >
> > http://www.postgresql.org/search.mpl
> >
> >
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
>
> http://www.postgresql.org/users-lounge/docs/faq.html
>



pgsql-hackers by date:

Previous
From: "Christopher Kings-Lynne"
Date:
Subject: Re: Multiple semicolon separated statements and autocommit
Next
From: Doug McNaught
Date:
Subject: Re: Multiple semicolon separated statements and autocommit