Thread: don't understand something about backslashes
I have a varchar that is 64 wide. I prescape stuff like the '-'
character to prevent SQL injection.
Here is the EXACT field value that I inserted recently,for a test. It
comes to approx 100 chars.
'\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1'::varchar,
I insert that and get:
NO ERROR
When I look at the record in phpPgAdmin, the slashes don't show up in
the record.
So, do they make it to the record, anyone know? What do I have to do for
the PostgreSQL engine to prevent '--' character from ending a line in a
a string? Or in general, get the backslashes in the record?
On Thu, 20 Mar 2003, Dennis Gearon wrote: > I have a varchar that is 64 wide. I prescape stuff like the '-' > character to prevent SQL injection. > > Here is the EXACT field value that I inserted recently,for a test. It > comes to approx 100 chars. > > '\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1'::varchar, > > I insert that and get: > > NO ERROR > > When I look at the record in phpPgAdmin, the slashes don't show up in > the record. The backslashes are escaping what follows. If you want two backslashes you need to double them probably.
I print the string out before sending it to the p-l engine, and they are
there.
Where are they being interpreted as escaping, and removed:
PHP
ADODB (the php library I'm using)
Postgres?
Obviously, I'm looking on this list to see if they get removed by the
libpq library or the backend.
I didn't know escaping chars were removed ...... makes sense though.
Stephan Szabo wrote:
> On Thu, 20 Mar 2003, Dennis Gearon wrote:
>
>
>>I have a varchar that is 64 wide. I prescape stuff like the '-'
>>character to prevent SQL injection.
>>
>>Here is the EXACT field value that I inserted recently,for a test. It
>>comes to approx 100 chars.
>>
>>'\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1'::varchar,
>>
>>I insert that and get:
>>
>> NO ERROR
>>
>>When I look at the record in phpPgAdmin, the slashes don't show up in
>>the record.
>
>
> The backslashes are escaping what follows. If you want two backslashes
> you need to double them probably.
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 2: you can get off all lists at once with the unregister command
> (send "unregister YourEmailAddressHere" to majordomo@postgresql.org)
>
On Thu, 20 Mar 2003, Dennis Gearon wrote: > I print the string out before sending it to the p-l engine, and they are > there. > > Where are they being interpreted as escaping, and removed: > > PHP > ADODB (the php library I'm using) > Postgres? > > Obviously, I'm looking on this list to see if they get removed by the > libpq library or the backend. > > I didn't know escaping chars were removed ...... makes sense though. Postgres AFAIK.
Actually, that is most good!
The backslash causes the character to be treated JUST as a character,
not as part of some command,right?
But then it gets consumed so that it doesn't increase the size of a data
field. Cool!
So I don't have to unescape it when I draw the data back out of the
database, oh so cool!
Darren Ferguson wrote:
> The back slash on insert is just escaping the character so Postgres will
> not throw errors when adding ' or any other specialized charachters into
> the database.
>
> If you want the backslashes to be in the record you have to double escape
> them as shown below.
>
> HTH
>
> Darren
>
> oss=> create table test (id varchar(64) not null);
> CREATE TABLE
> oss=> insert into test values ('darren\'s');
> INSERT 9648444 1
> oss=> select * from test;
> id
> ----------
> darren's
> (1 row)
>
> oss=> insert into test values ('darren\\\'s');
> INSERT 9648445 1
> oss=> select * from test;
> id
> -----------
> darren's
> darren\'s
> (2 rows)
>
>
> On Thu, 20 Mar 2003, Dennis Gearon wrote:
>
>
>>I have a varchar that is 64 wide. I prescape stuff like the '-'
>>character to prevent SQL injection.
>>
>>Here is the EXACT field value that I inserted recently,for a test. It
>>comes to approx 100 chars.
>>
>>'\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1'::varchar,
>>
>>I insert that and get:
>>
>> NO ERROR
>>
>>When I look at the record in phpPgAdmin, the slashes don't show up in
>>the record.
>>
>>So, do they make it to the record, anyone know? What do I have to do for
>>the PostgreSQL engine to prevent '--' character from ending a line in a
>>a string? Or in general, get the backslashes in the record?
>>
>>
>>
>>
>>
>>
>>---------------------------(end of broadcast)---------------------------
>>TIP 6: Have you searched our list archives?
>>
>>http://archives.postgresql.org
>>
>
>
The back slash on insert is just escaping the character so Postgres will
not throw errors when adding ' or any other specialized charachters into
the database.
If you want the backslashes to be in the record you have to double escape
them as shown below.
HTH
Darren
oss=> create table test (id varchar(64) not null);
CREATE TABLE
oss=> insert into test values ('darren\'s');
INSERT 9648444 1
oss=> select * from test;
id
----------
darren's
(1 row)
oss=> insert into test values ('darren\\\'s');
INSERT 9648445 1
oss=> select * from test;
id
-----------
darren's
darren\'s
(2 rows)
On Thu, 20 Mar 2003, Dennis Gearon wrote:
> I have a varchar that is 64 wide. I prescape stuff like the '-'
> character to prevent SQL injection.
>
> Here is the EXACT field value that I inserted recently,for a test. It
> comes to approx 100 chars.
>
> '\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1\-1'::varchar,
>
> I insert that and get:
>
> NO ERROR
>
> When I look at the record in phpPgAdmin, the slashes don't show up in
> the record.
>
> So, do they make it to the record, anyone know? What do I have to do for
> the PostgreSQL engine to prevent '--' character from ending a line in a
> a string? Or in general, get the backslashes in the record?
>
>
>
>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
> http://archives.postgresql.org
>
--
Darren Ferguson