Home > mailing lists

Re: Re: Escaping strings for inclusion into SQL queries - Mailing list pgsql-hackers

From	Florian Weimer
Subject	Re: Re: Escaping strings for inclusion into SQL queries
Date	September 3, 2001 18:22:50
Msg-id	tgheukl0rq.fsf@mercury.rus.uni-stuttgart.de Whole thread Raw
In response to	Re: Re: Escaping strings for inclusion into SQL queries (Peter Eisentraut <peter_e@gmx.net>)
Responses	Re: Re: Escaping strings for inclusion into SQL queries (Bruce Momjian <pgman@candle.pha.pa.us>) Re: Re: Escaping strings for inclusion into SQL queries (Peter Eisentraut <peter_e@gmx.net>)
List	pgsql-hackers

Tree view

Peter Eisentraut <peter_e@gmx.net> writes:

> Florian Weimer writes:
> 
> > The first version escaped ' with ''.  I changed it when I noticed that
> > if \' is used instead, the same function can be used for strings
> > ('...') and identifiers ("...").
> 
> Last time I checked (15 seconds ago), you could not escape " with \ in
> PostgreSQL.  The identifer parsing rules are a bit different from strings.

Yes, we misread the lexer description.  I'm sorry about that.

In addition, there seems to be a bug in the treatment of "" escapes in
identifiers. 'SELECT """";' yields the error message 'Attribute '""'
not found ' (not '"'!) or even 'Attribute '""\' not found', depending
on the queries executed before.

For identifiers, comparing the characters to a white list is probably
a more reasonable approach.

-- 
Florian Weimer                       Florian.Weimer@RUS.Uni-Stuttgart.DE
University of Stuttgart           http://cert.uni-stuttgart.de/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

pgsql-hackers by date:

From: Stephan Szabo
Date: 03 September 2001, 18:04:07
Subject: Re: INDEX BUG???

From: Tom Lane
Date: 03 September 2001, 18:23:33
Subject: Re: cannot detect too many clients

Re: Re: Escaping strings for inclusion into SQL queries - Mailing list pgsql-hackers

Previous

Next