Alvaro Herrera <alvherre@alvh.no-ip.org> writes:
> On 2023-Feb-06, Tom Lane wrote:
>> I think removing standard_conforming_strings = off might be a
>> bridge too far, even yet. Or were you speaking of removing
>> escape_string_warning? I could get behind that perhaps.
>> Making it default to off could be an even easier sell.
> I was thinking we'd remove them together. Anybody who is running
> standard_conforming_strings=off will need the warning so that they can
> find the places they need to touch in order to migrate. Keeping the
> ability to run nonstandard strings but without the ability to have the
> warnings would be dangerous, because then there's no easy way to
> upgrade.
Yeah, that's true. So then the question is do we have any desire
to kill off standard_conforming_strings=off altogether?
You could certainly make an argument that doing so would be a net
security improvement, because it's likely that by now there are a
ton of applications that aren't careful with backslashes and will
have SQL-injection hazards if run under standard_conforming_strings=off.
Whether that argument will placate the people who don't want to
change their existing s_c_s=off-dependent apps, I dunno.
> (I agree BTW with the idea that running psql with non-standard strings
> and the warnings enabled is not something that we need to support
> specifically.)
Yeah, just changing the e_s_w default to "off" might be easiest.
regards, tom lane
