Skip site navigation (1) Skip section navigation (2)

Re: Escaping strings for inclusion into SQL queries

From: "Mitch Vincent" <mvincent(at)cablespeed(dot)com>
To: "Alex Pilosov" <alex(at)pilosoft(dot)com>
Cc: <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Escaping strings for inclusion into SQL queries
Date: 2001-08-31 01:27:28
Message-ID: 002301c131bc$193c7610$be615dd8@mitch (view raw or flat)
Thread:
Lists: pgsql-hackers
Ok, I misudnerstood, I had long included my own escaping function in
programs that used libpq, I thought the intent was to make escaping happen
automatically..

Thanks!

-Mitch

----- Original Message -----
From: "Alex Pilosov" <alex(at)pilosoft(dot)com>
To: "Mitch Vincent" <mvincent(at)cablespeed(dot)com>
Cc: <pgsql-hackers(at)postgresql(dot)org>
Sent: Thursday, August 30, 2001 7:32 PM
Subject: Re: [HACKERS] Escaping strings for inclusion into SQL queries


> It is. Application is responsible to call PGescapeString (included in the
> patch in question) to escape command that may possibly have user-specified
> data... This function isn't called automatically.
>
> On Thu, 30 Aug 2001, Mitch Vincent wrote:
>
> > Perhaps I'm not thinking correctly but isn't it the job of the
application
> > that's using the libpq library to escape special characters? I guess I
don't
> > see a down side though, if it's implemented correctly to check and see
if
> > characters are already escaped before escaping them (else major breakage
of
> > existing application would occur).. I didn't see the patch but I assume
that
> > someone took a look to make sure before applying it.
> >
> >
> > -Mitch
> >
> > ----- Original Message -----
> > From: "Bruce Momjian" <pgman(at)candle(dot)pha(dot)pa(dot)us>
> > To: "Florian Weimer" <Florian(dot)Weimer(at)rus(dot)uni-stuttgart(dot)de>
> > Cc: <pgsql-hackers(at)postgresql(dot)org>
> > Sent: Thursday, August 30, 2001 6:43 PM
> > Subject: Re: [HACKERS] Escaping strings for inclusion into SQL queries
> >
> >
> > > > Florian Weimer <Florian(dot)Weimer(at)rus(dot)uni-stuttgart(dot)de> writes:
> > > >
> > > > > We therefore suggest that a string escaping function is included
in a
> > > > > future version of PostgreSQL and libpq.  A sample implementation
is
> > > > > provided below, along with documentation.
> > > >
> > > > We have now released a description of the problems which occur when
a
> > > > string escaping function is not used:
> > > >
> > > > http://cert.uni-stuttgart.de/advisories/apache_auth.php
> > > >
> > > > What further steps are required to make the suggested patch part of
> > > > the official libpq library?
> > >
> > > Will be applied soon.  I was waiting for comments before adding it to
> > > the patch queue.
> >
> >
> >
> > ---------------------------(end of broadcast)---------------------------
> > TIP 6: Have you searched our list archives?
> >
> > http://www.postgresql.org/search.mpl
> >
> >
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
>
> http://www.postgresql.org/users-lounge/docs/faq.html
>


In response to

pgsql-hackers by date

Next:From: Doug McNaughtDate: 2001-08-31 01:35:42
Subject: Re: Multiple semicolon separated statements and autocommit
Previous:From: Christopher Kings-LynneDate: 2001-08-31 01:14:21
Subject: Re: Multiple semicolon separated statements and autocommit

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group