Re: Negative Integers Escaping - Mailing list psycopg

From Federico Di Gregorio
Subject Re: Negative Integers Escaping
Date
Msg-id 4DE63081.7000401@dndg.it
Whole thread Raw
In response to Re: Negative Integers Escaping  (Daniele Varrazzo <daniele.varrazzo@gmail.com>)
List psycopg
On 31/05/11 18:56, Daniele Varrazzo wrote:
> On Tue, May 31, 2011 at 12:47 PM, Marko Kreen <markokr@gmail.com> wrote:
[snip]
> I've already called for discussion a couple of months ago [1] about
> supporting the EQ protocol: it will eventually be done, but the result
> will hardly be a complete replacement for what psycopg currently does,
> so don't see it becoming the default escape mechanism. (Of course,
> while I'm positive about its implementation, nobody has stepped ahead
> for implementing it, so I'm afraid it will have to wait for a slice of
> my Copious Spare Time).

Lucky you! Mine ISN'T Copious. :D

> While it's good stuff the EQ exists for applications directly using
> the libpq, It wouldn't have saved many troubles for psycopg: IMO this
> one is really borderline to a pathological case and is not a security
> issue.

Also this one can generically be solved by putting parentheses around
every single argument. It is a +2 bytes per argument and the output of
cursor.query isn't pretty at all but if the need arise that will work
with minimal changes to the code (i.e., no new bugs).

Btw, I completely agree with Daniele's analisys of EQ and psycopg.
psycopg offers a lot of features and we shoudl find the right place for
EQ. Just dropping it in and have regressions on the existing code isn't
a good idea.

federico

--
Federico Di Gregorio                         federico.digregorio@dndg.it
Studio Associato Di Nunzio e Di Gregorio                  http://dndg.it
  Lord, defend me from my friends; I can account for my enemies.
                                                  -- Charles D'Hericault

psycopg by date:

Previous
From: Daniele Varrazzo
Date:
Subject: Re: Negative Integers Escaping
Next
From: Stephen Lacy
Date:
Subject: Installing via pip under Win7 + virtualenv + VC++2008