Skip site navigation (1) Skip section navigation (2)

Re: Re: Escaping strings for inclusion into SQL queries

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: Florian Weimer <Florian(dot)Weimer(at)RUS(dot)Uni-Stuttgart(dot)DE>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: Re: Escaping strings for inclusion into SQL queries
Date: 2001-09-03 20:28:49
Message-ID: 200109032028.f83KSnD18708@candle.pha.pa.us (view raw or flat)
Thread:
Lists: pgsql-hackers
OK, can you supply an updated patch?


> Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
> 
> > Florian Weimer writes:
> > 
> > > The first version escaped ' with ''.  I changed it when I noticed that
> > > if \' is used instead, the same function can be used for strings
> > > ('...') and identifiers ("...").
> > 
> > Last time I checked (15 seconds ago), you could not escape " with \ in
> > PostgreSQL.  The identifer parsing rules are a bit different from strings.
> 
> Yes, we misread the lexer description.  I'm sorry about that.
> 
> In addition, there seems to be a bug in the treatment of "" escapes in
> identifiers. 'SELECT """";' yields the error message 'Attribute '""'
> not found ' (not '"'!) or even 'Attribute '""\' not found', depending
> on the queries executed before.
> 
> For identifiers, comparing the characters to a white list is probably
> a more reasonable approach.
> 
> -- 
> Florian Weimer 	                  Florian(dot)Weimer(at)RUS(dot)Uni-Stuttgart(dot)DE
> University of Stuttgart           http://cert.uni-stuttgart.de/
> RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898
> 
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
> 
> http://www.postgresql.org/users-lounge/docs/faq.html
> 

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman(at)candle(dot)pha(dot)pa(dot)us               |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026

In response to

Responses

pgsql-hackers by date

Next:From: Tom LaneDate: 2001-09-03 20:30:31
Subject: Re: Porting to Native WindowsNT/2000
Previous:From: Bruce MomjianDate: 2001-09-03 20:17:54
Subject: Re: OpenFTS (Open Source Full Text Search engine) pre-announce

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group