In my case the data is load from a file (for example a very long list of
Names/FirstNames) so this security concert should be not applicable here
(anyway, thanks by the remark because I have never though about it...).
The best solution for me should be if I could change the "start/end of a
Postgresql string" from the single quote to the double quote (") or a
similar character because now I have to do my own version of PQescapeString
for every text field assuming the ' character could be there. Anyone knows
if is possible to change it without modifying the Postgresql source code?
Thanks,
Jordi
"Einar Karttunen" <ekarttun@cs.helsinki.fi> wrote in message
news:20020121113549.GC25853@shellak.helsinki.fi...
> On 21.01.02 11:42 +0100(+0000), Jordi wrote:
> > Is there any way to change the start/end of Text field character or do
you
> > know a better workaround to avoid parsing/changing all the text fields
just
> > in case they contain the single quote ( ') character??.
> >
> In case the data comes from outside you *must* escape it. Libpq defines a
> function for it called PQescapeString. Consider what would happen if you
> had code like this:
>
> char buf[BUF_SIZE];
> snprintf(buf,BUF_SIZE,"SELECT * FROM mytable WHERE
field='%s';",string_from_user);
> PQexec(con,buf);
>
> now lets say the user would enter a value like
> 0';DELETE FROM mytable;SELECT '1
> and the db would see
> SELECT * FROM mytable WHERE field='0';DELETE FROM mytable;SELECT '1';
>
> - Einar Karttunen
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
> http://archives.postgresql.org
