Home > mailing lists

Re: BUG #2228: escaped single quotes choke spi_exec_query in - Mailing list pgsql-bugs

From	michael
Subject	Re: BUG #2228: escaped single quotes choke spi_exec_query in
Date	February 2, 2006 22:05:45
Msg-id	20060201153005.O85967@ash.gene.ucl.ac.uk Whole thread Raw
In response to	Re: BUG #2228: escaped single quotes choke spi_exec_query in plperlu (Tom Lane <tgl@sss.pgh.pa.us>)
List	pgsql-bugs

Tree view

On Wed, 1 Feb 2006, Tom Lane wrote:
> "Michael Lush" <michael@galton.ucl.ac.uk> writes:
> > CREATE OR REPLACE FUNCTION quote_bug(text) RETURNS text AS
> > $$
> >    $data = $_[0];
>
> >    $sql = "SELECT *
> >              FROM test
> >             WHERE foo = '$data'";
>
> >    $rv_unique = spi_exec_query($sql);
>
> It's hardly a bug that you get a syntax error when $data contains
> a single quote.  It's up to you to construct a well-formed query
> string to give to spi_exec_query, and this code is not doing that.
>
>             regards, tom lane


As I understand it the  input strings are correctly escaped

INSERT INTO test VALUES ('No problem here');
INSERT INTO test VALUES ('It''s a problem here');
INSERT INTO test VALUES ('It\'s also a problem here');

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Michael John Lush PhD            Tel:44-20-7679-5027
Nomenclature Bioinformatician        Fax:44-20-7387-3496
HUGO Gene Nomenclature Committee    Email:  nome@galton.ucl.ac.uk
The Galton Laboratory
University College London, UK
URL: http://www.gene.ucl.ac.uk/nomenclature/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

pgsql-bugs by date:

From: "Garoso, Fernando"
Date: 02 February 2006, 22:05:43
Subject: BUG #2231: Incorrect Order By

From: "Michael Grossman"
Date: 02 February 2006, 22:05:47
Subject: BUG #2232: Function (store procedure) prublem

Re: BUG #2228: escaped single quotes choke spi_exec_query in - Mailing list pgsql-bugs

Previous

Next