Re: Escaping strings for inclusion into SQL queriesh - Mailing list pgsql-hackers

From Bruce Momjian
Subject Re: Escaping strings for inclusion into SQL queriesh
Date
Msg-id 200109131700.f8DH0Qk26700@candle.pha.pa.us
Whole thread Raw
In response to Re: Escaping strings for inclusion into SQL queries  (Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE>)
List pgsql-hackers
Patch applied.  Thanks.

> "Joe Conway" <joseph.conway@home.com> writes:
> 
> > I found a problem with PQescapeString (I think). Since it escapes
> > null bytes to be literally '\0', the following can happen:
> > 1. User inputs string value as "<null byte>##" where ## are digits in the
> > range of 0 to 7.
> > 2. PQescapeString converts this to "\0##"
> > 3. Escaped string is used in a context that causes "\0##" to be evaluated as
> > an octal escape sequence.
> 
> I agree that this is a problem, though it is not possible to do
> anything harmful with it.  In addition, it only occurs if there are
> any NUL characters in its input, which is very unlikely if you are
> using C strings.
> 
> The patch below addresses the issue by removing escaping of \0
> characters entirely.
> 
> > If the goal is to "safely" encode null bytes, and preserve the rest of the
> > string as it was entered, I think the null bytes should be escaped as \\000
> > (note that if you simply use \000 the same string truncation problem
> > occurs).
> 
> We can't do that, this would require 4n + 1 bytes of storage for the
> result, breaking the interface.
> 
> -- 
> Florian Weimer                       Florian.Weimer@RUS.Uni-Stuttgart.DE
> University of Stuttgart           http://cert.uni-stuttgart.de/
> RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898
> 

[ Attachment, skipping... ]

> 
> ---------------------------(end of broadcast)---------------------------
> TIP 3: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo@postgresql.org so that your
> message can get through to the mailing list cleanly

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
853-3000+  If your life is a hard drive,     |  830 Blythe Avenue +  Christ can be your backup.        |  Drexel Hill,
Pennsylvania19026
 


pgsql-hackers by date:

Previous
From: Stephan Szabo
Date:
Subject: Re: Need feedback: GeneXus will support PostgreSQL
Next
From: "Mikheev, Vadim"
Date:
Subject: Re: Index location patch for review (more pgbench resul