Thread: don't understand something about backslashes
I have a varchar that is 64 wide. I prescape stuff like the '-' character to prevent SQL injection. Here is the EXACT field value that I inserted recently,for a test. It comes to approx 100 chars. '\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1'::varchar, I insert that and get: NO ERROR When I look at the record in phpPgAdmin, the slashes don't show up in the record. So, do they make it to the record, anyone know? What do I have to do for the PostgreSQL engine to prevent '--' character from ending a line in a a string? Or in general, get the backslashes in the record?
On Thu, 20 Mar 2003, Dennis Gearon wrote: > I have a varchar that is 64 wide. I prescape stuff like the '-' > character to prevent SQL injection. > > Here is the EXACT field value that I inserted recently,for a test. It > comes to approx 100 chars. > > '\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1'::varchar, > > I insert that and get: > > NO ERROR > > When I look at the record in phpPgAdmin, the slashes don't show up in > the record. The backslashes are escaping what follows. If you want two backslashes you need to double them probably.
I print the string out before sending it to the p-l engine, and they are there. Where are they being interpreted as escaping, and removed: PHP ADODB (the php library I'm using) Postgres? Obviously, I'm looking on this list to see if they get removed by the libpq library or the backend. I didn't know escaping chars were removed ...... makes sense though. Stephan Szabo wrote: > On Thu, 20 Mar 2003, Dennis Gearon wrote: > > >>I have a varchar that is 64 wide. I prescape stuff like the '-' >>character to prevent SQL injection. >> >>Here is the EXACT field value that I inserted recently,for a test. It >>comes to approx 100 chars. >> >>'\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1'::varchar, >> >>I insert that and get: >> >> NO ERROR >> >>When I look at the record in phpPgAdmin, the slashes don't show up in >>the record. > > > The backslashes are escaping what follows. If you want two backslashes > you need to double them probably. > > > ---------------------------(end of broadcast)--------------------------- > TIP 2: you can get off all lists at once with the unregister command > (send "unregister YourEmailAddressHere" to majordomo@postgresql.org) >
On Thu, 20 Mar 2003, Dennis Gearon wrote: > I print the string out before sending it to the p-l engine, and they are > there. > > Where are they being interpreted as escaping, and removed: > > PHP > ADODB (the php library I'm using) > Postgres? > > Obviously, I'm looking on this list to see if they get removed by the > libpq library or the backend. > > I didn't know escaping chars were removed ...... makes sense though. Postgres AFAIK.
Actually, that is most good! The backslash causes the character to be treated JUST as a character, not as part of some command,right? But then it gets consumed so that it doesn't increase the size of a data field. Cool! So I don't have to unescape it when I draw the data back out of the database, oh so cool! Darren Ferguson wrote: > The back slash on insert is just escaping the character so Postgres will > not throw errors when adding ' or any other specialized charachters into > the database. > > If you want the backslashes to be in the record you have to double escape > them as shown below. > > HTH > > Darren > > oss=> create table test (id varchar(64) not null); > CREATE TABLE > oss=> insert into test values ('darren\'s'); > INSERT 9648444 1 > oss=> select * from test; > id > ---------- > darren's > (1 row) > > oss=> insert into test values ('darren\\\'s'); > INSERT 9648445 1 > oss=> select * from test; > id > ----------- > darren's > darren\'s > (2 rows) > > > On Thu, 20 Mar 2003, Dennis Gearon wrote: > > >>I have a varchar that is 64 wide. I prescape stuff like the '-' >>character to prevent SQL injection. >> >>Here is the EXACT field value that I inserted recently,for a test. It >>comes to approx 100 chars. >> >>'\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1'::varchar, >> >>I insert that and get: >> >> NO ERROR >> >>When I look at the record in phpPgAdmin, the slashes don't show up in >>the record. >> >>So, do they make it to the record, anyone know? What do I have to do for >>the PostgreSQL engine to prevent '--' character from ending a line in a >>a string? Or in general, get the backslashes in the record? >> >> >> >> >> >> >>---------------------------(end of broadcast)--------------------------- >>TIP 6: Have you searched our list archives? >> >>http://archives.postgresql.org >> > >
The back slash on insert is just escaping the character so Postgres will not throw errors when adding ' or any other specialized charachters into the database. If you want the backslashes to be in the record you have to double escape them as shown below. HTH Darren oss=> create table test (id varchar(64) not null); CREATE TABLE oss=> insert into test values ('darren\'s'); INSERT 9648444 1 oss=> select * from test; id ---------- darren's (1 row) oss=> insert into test values ('darren\\\'s'); INSERT 9648445 1 oss=> select * from test; id ----------- darren's darren\'s (2 rows) On Thu, 20 Mar 2003, Dennis Gearon wrote: > I have a varchar that is 64 wide. I prescape stuff like the '-' > character to prevent SQL injection. > > Here is the EXACT field value that I inserted recently,for a test. It > comes to approx 100 chars. > > '\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1'::varchar, > > I insert that and get: > > NO ERROR > > When I look at the record in phpPgAdmin, the slashes don't show up in > the record. > > So, do they make it to the record, anyone know? What do I have to do for > the PostgreSQL engine to prevent '--' character from ending a line in a > a string? Or in general, get the backslashes in the record? > > > > > > > ---------------------------(end of broadcast)--------------------------- > TIP 6: Have you searched our list archives? > > http://archives.postgresql.org > -- Darren Ferguson