Alvaro Herrera <alvherre@alvh.no-ip.org> writes:
> Currently, pg_toupper/pg_tolower are used in very limited situations.
> Are they really always safe enough to run in arbitrary situations,
> enough to create this new layer on top of them?
They are not, and we should absolutely not be encouraging additional uses
of them. The existing multi-character str_toupper/str_tolower functions
should be used instead. (Perhaps those should be relocated to someplace
more prominent?)
> Reading the comment on
> pg_tolower, "the whole thing is a bit bogus for multibyte charsets", I
> worry that we might create security holes, either now or in future
> callsites that use these new functions.
I doubt that they are security holes, but they do give unexpected
answers in some locales.
regards, tom lane
