Re: Stuff for 2.4.1 - Mailing list psycopg
| From | Federico Di Gregorio |
|---|---|
| Subject | Re: Stuff for 2.4.1 |
| Date | |
| Msg-id | 4D90348E.3080106@dndg.it Whole thread Raw |
| In response to | Re: Stuff for 2.4.1 (David Blewett <david@dawninglight.net>) |
| Responses |
Re: Stuff for 2.4.1
("A.M." <agentm@themactionfaction.com>)
|
| List | psycopg |
On 27/03/11 19:23, David Blewett wrote: > On Sun, Mar 27, 2011 at 9:46 AM, Daniele Varrazzo > <daniele.varrazzo@gmail.com> wrote: >> > On Sun, Mar 27, 2011 at 12:51 PM, Harald Armin Massa >> > <harald@2ndquadrant.com> wrote: >>> >> Are you really sure that psycopg2 should go the road of having own >>> >> parsers in addition to libpq-s routines? As much as I am happy about >>> >> the robustness when having other libpqs, and about the performance >>> >> benefit, as much I fear to have some new areas for possible bugs - >>> >> especially security-relevant things like SQL-injections. >> > >> > The will to stick as much as possible to the libpq functions has been >> > the reason I had not written the above parser before (releasing >> > 2.4.0). Unfortunately the bytea problem has proven trickier to handle >> > for many psycopg users. I've changed my mind as I think psycopg has >> > the responsibility to provide a set of feature in a robust way, and if >> > the libpq is just not reliable for bytea parsing (for me the hex >> > format should have been backported to the the client libraries of the >> > previous versions) I think we have to provide a solution, not just to >> > propagate the problem. > I think I agree with Harald here. In my opinion, this shouldn't be > done at the driver level. There never has been a guarantee from the > database side that applications compiled against older libpq will be > able to communicate with newer versions. Emulating this in the driver > only propagates this mis-conception. What has been the problem in the > past? Maybe the documentation should be improved so that people are > sure to build against the appropriate version of libpq for the version > of the server they intend to communicate with? What Daniele did is fine: 1) There is no security problem, because the code only work in the database->user direction. 2) Allows communication with different combinations of backend/libpq versions without adding the overhead of extra quesries when establishing the connection (i.e., it just works and this is very important for the user). Also, while I am writing very few new code I am reviewing everything and I am confident to say that psycopg is much safe now than 2 years ago when I was the only developer. federico -- Federico Di Gregorio federico.digregorio@dndg.it Studio Associato Di Nunzio e Di Gregorio http://dndg.it When people say things are a lot more complicated than that, they means they're getting worried that they won't like the truth. -- Granny Weatherwax