Re: PG 9.0 and standard_conforming_strings - Mailing list pgsql-hackers

From Tom Lane
Subject Re: PG 9.0 and standard_conforming_strings
Date
Msg-id 2068.1265226073@sss.pgh.pa.us
Whole thread Raw
In response to Re: PG 9.0 and standard_conforming_strings  (Mark Mielke <mark@mark.mielke.cc>)
Responses Re: PG 9.0 and standard_conforming_strings  (Nathan Wagner <nw@hydaspes.if.org>)
List pgsql-hackers
Mark Mielke <mark@mark.mielke.cc> writes:
> On 02/03/2010 01:20 PM, Robert Haas wrote:
>> I am not sure I really understand why anyone is a rush to make this
>> change.

> For myself, it isn't so much a rush as a sense that the code out there 
> that will break, will never change unless forced, and any time seems 
> better than never.

I have not heard anyone arguing for the position that we should never do
it.  The argument is about whether it's a good idea to do it *right
now*, without any advance notice or planning.

> Correct me if I am wrong - but I think this issue represents an 
> exploitable SQL injection security hole.

Indeed it is, which is one of the reasons to be cautious with changing
it.  We've been telling people to move away from \' for a long time,
but actually flipping the switch that will make their apps insecure
is not something to do on the spur of the moment.
        regards, tom lane


pgsql-hackers by date:

Previous
From: Joe Conway
Date:
Subject: Re: use of dblink_build_sql_insert() induces a server crash
Next
From: Robert Haas
Date:
Subject: Re: Add on_trusted_init and on_untrusted_init to plperl UPDATED [PATCH]