Skip site navigation (1) Skip section navigation (2)

Re: Escape handling in strings

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Rod Taylor <pg(at)rbt(dot)ca>
Cc: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>,PostgreSQL-patches <pgsql-patches(at)postgresql(dot)org>,Christopher Kings-Lynne <chriskl(at)familyhealth(dot)com(dot)au>
Subject: Re: Escape handling in strings
Date: 2005-06-16 12:55:04
Message-ID: 14648.1118926504@sss.pgh.pa.us (view raw or flat)
Thread:
Lists: pgsql-hackerspgsql-patches
Rod Taylor <pg(at)rbt(dot)ca> writes:
> It probably won't be any worse than when '' was rejected for an integer
> 0.

That analogy is *SO* far off the mark that I have to object.

Fooling with quoting rules will not simply cause clean failures, which
is what you got from ''-no-longer-accepted-by-atoi.  What it will cause
is formerly valid input being silently interpreted as something else.
That's bad enough, but it gets worse: formerly secure client code may
now be vulnerable to SQL-injection attacks, because it doesn't know how
to quote text properly.

What we are talking about here is an extremely significant change with
extremely serious consequences, and imagining that it is not will be
a recipe for disaster.

I also think that pgsql-patches is not the place to be discussing such
things... it needs a whole lot more visibility.

			regards, tom lane

In response to

Responses

pgsql-hackers by date

Next:From: Tom LaneDate: 2005-06-16 12:56:31
Subject: Re: Escape handling in strings
Previous:From: Tom LaneDate: 2005-06-16 12:35:49
Subject: Re: [HACKERS] INHERITS and planning

pgsql-patches by date

Next:From: Tom LaneDate: 2005-06-16 12:56:31
Subject: Re: Escape handling in strings
Previous:From: Martin PittDate: 2005-06-16 06:41:54
Subject: Re: Add PG version number to NLS files

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group