Michael Meskes <meskes@postgresql.org> wrote:
> > I found bug in ecpg concerning processing of the multi-byte character-code.
> > I reported as bug#2956 before.
>
> I'm just committing the changes to CVS but only to HEAD because I cannot
> check if my changes broke something. The sources work fine on my system
> and the regression tests pass without a problem. But then I do not have
> a setup similar to yours. Could you please test this?
I tested the change and it worked fine, but I found that this fix
should be backported -- it might cause SQL injections depending on
the server configurations.
The attached patches are backports for the past releases.
I hope you will apply them. Thanks.
[TEST]
1. initdb --no-locale --encoding=UTF8
2. SET client_encoding = sjis in postgresql.conf
3. ecpg test.pgc
4. gcc test.c
5. test < src.sjis.txt
[RESULTS]
The first charactor is a Japanese kanji. (0x95+0x5c)
-- 8.3dev
表'; SELECT 9999;--
-- 8.2.3 : backslash_quote = safe_encoding
sql error 'unsafe use of \' in a string literal' in line 21.
-- 8.2.3 : backslash_quote = on (SQL injection!)
9999
-- 8.2.3 with patch : backslash_quote = safe_encoding
表'; SELECT 9999;--
Regards,
---
ITAGAKI Takahiro
NTT Open Source Software Center
