Re: Escaping strings for inclusion into SQL queriesh

Patch applied. Thanks.

> "Joe Conway" <joseph(dot)conway(at)home(dot)com> writes:
>
> > I found a problem with PQescapeString (I think). Since it escapes
> > null bytes to be literally '\0', the following can happen:
> > 1. User inputs string value as "<null byte>##" where ## are digits in the
> > range of 0 to 7.
> > 2. PQescapeString converts this to "\0##"
> > 3. Escaped string is used in a context that causes "\0##" to be evaluated as
> > an octal escape sequence.
>
> I agree that this is a problem, though it is not possible to do
> anything harmful with it. In addition, it only occurs if there are
> any NUL characters in its input, which is very unlikely if you are
> using C strings.
>
> The patch below addresses the issue by removing escaping of \0
> characters entirely.
>
> > If the goal is to "safely" encode null bytes, and preserve the rest of the
> > string as it was entered, I think the null bytes should be escaped as \\000
> > (note that if you simply use \000 the same string truncation problem
> > occurs).
>
> We can't do that, this would require 4n + 1 bytes of storage for the
> result, breaking the interface.
>
> --
> Florian Weimer Florian(dot)Weimer(at)RUS(dot)Uni-Stuttgart(dot)DE
> University of Stuttgart http://cert.uni-stuttgart.de/
> RUS-CERT +49-711-685-5973/fax +49-711-685-5898
>

[ Attachment, skipping... ]

>
> ---------------------------(end of broadcast)---------------------------
> TIP 3: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo(at)postgresql(dot)org so that your
> message can get through to the mailing list cleanly

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026