From:
Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To:
Rod Taylor <pg(at)rbt(dot)ca>
Cc:
Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>,PostgreSQL-patches <pgsql-patches(at)postgresql(dot)org>,Christopher Kings-Lynne <chriskl(at)familyhealth(dot)com(dot)au>
Subject:
Re: Escape handling in strings
Date:
2005-06-16 12:55:04
Message-ID:
14648.1118926504@sss.pgh.pa.us (view raw or flat )
Thread:
2005-06-16 02:29:31 from Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
2005-06-16 02:41:35 from Christopher Kings-Lynne <chriskl(at)familyhealth(dot)com(dot)au>
2005-06-16 02:54:20 from Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
2005-06-16 02:58:50 from Christopher Kings-Lynne <chriskl(at)familyhealth(dot)com(dot)au>
2005-06-16 03:12:07 from Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
2005-06-16 03:19:46 from Christopher Kings-Lynne <chriskl(at)familyhealth(dot)com(dot)au>
2005-06-16 05:32:20 from Pavel Stehule <stehule(at)kix(dot)fsv(dot)cvut(dot)cz>
2005-06-16 12:56:31 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2005-06-16 14:32:38 from Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
2005-06-16 03:13:58 from Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
2005-06-16 05:08:18 from Rod Taylor <pg(at)rbt(dot)ca>
2005-06-16 12:55:04 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2005-06-16 14:27:27 from Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
2005-06-16 15:25:23 from Andrew Dunstan <andrew(at)dunslane(dot)net>
2005-06-16 16:00:41 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2005-06-17 01:41:05 from Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
2005-06-17 01:03:04 from "Andrew Dunstan" <andrew(at)dunslane(dot)net>
2005-06-17 01:53:45 from Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
2005-06-17 03:33:54 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2005-06-17 04:22:41 from Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
2005-06-17 05:09:50 from Michael Glaesemann <grzm(at)myrealbox(dot)com>
2005-06-17 07:34:46 from Greg Stark <gsstark(at)mit(dot)edu>
2005-06-17 07:42:32 from Michael Glaesemann <grzm(at)myrealbox(dot)com>
2005-06-17 12:55:21 from Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
2005-06-18 14:07:54 from Robert Treat <xzilla(at)users(dot)sourceforge(dot)net>
2005-06-18 14:20:07 from Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
2005-06-17 13:42:43 from Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
Lists:
pgsql-hackers pgsql-patches
Rod Taylor <pg(at)rbt(dot)ca> writes:
> It probably won't be any worse than when '' was rejected for an integer
> 0.
That analogy is *SO* far off the mark that I have to object.
Fooling with quoting rules will not simply cause clean failures, which
is what you got from ''-no-longer-accepted-by-atoi. What it will cause
is formerly valid input being silently interpreted as something else.
That's bad enough, but it gets worse: formerly secure client code may
now be vulnerable to SQL-injection attacks, because it doesn't know how
to quote text properly.
What we are talking about here is an extremely significant change with
extremely serious consequences, and imagining that it is not will be
a recipe for disaster.
I also think that pgsql-patches is not the place to be discussing such
things... it needs a whole lot more visibility.
regards, tom lane
In response to
Responses
pgsql-hackers by date
Next :From: Tom LaneDate: 2005-06-16 12:56:31Subject : Re: Escape handling in strings Previous :From : Tom LaneDate : 2005-06-16 12:35:49Subject : Re: [HACKERS] INHERITS and planning
pgsql-patches by date
Next :From: Tom LaneDate: 2005-06-16 12:56:31Subject : Re: Escape handling in strings Previous :From : Martin PittDate : 2005-06-16 06:41:54Subject : Re: Add PG version number to NLS files
