>Because you are using an input syntax that requires that quotes and
>backslashes be escaped. There are other input methods available that
>don't require this, but they have disadvantages of their own. In
>particular, you have to separate data from SQL command if you want a
>no-escape-processing behavior for data.
right, I was looking for the alternate input methods that you allude to. I
have been unable to find an example of exactly how to do this.
> > I think this behavior stems from a security problem psql had a while
> > back where escape characters were being interpreted, and this may be
> > another instance of that functionality.
>Matt, you have no idea what you are talking about.
I readily admit that I didn't read much into it, but I think you are
mistaken. If you look at the following links you will see that postgresql
definitely had a vulnerability that allowed sql injection through the use of
escape characters. I was simply saying that this behavior might be a way of
preventing that from happening again.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0802
http://cert.uni-stuttgart.de/doc/postgresql/escape/
_________________________________________________________________
Get dial-up Internet access now with our best offer: 6 months @$9.95/month!
http://join.msn.com/?page=dept/dialup
