Skip site navigation (1) Skip section navigation (2)

Re: Escape handling in COPY, strings, psql

From: Christopher Kings-Lynne <chriskl(at)familyhealth(dot)com(dot)au>
To: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Peter Eisentraut <peter_e(at)gmx(dot)net>,PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>,Sergey Ten <sergey(at)sourcelabs(dot)com>, jason(at)sourcelabs(dot)com
Subject: Re: Escape handling in COPY, strings, psql
Date: 2005-05-30 04:10:46
Message-ID: 429A9246.7030902@familyhealth.com.au (view raw or flat)
Thread:
Lists: pgsql-hackerspgsql-patches
> I think we can tell people in 8.1 that they should modify their
> applications to only use '', and that \' might be a security problem in
> the future.  If we get to that then using ESC or not only affects input
> of values and literal backslashes being entered, and my guess is that
> 90% of the backslash entries that want escaping are literal in the
> application and not supplied by program variables.  In fact, if we
> disable backslash by default then strings coming in only have to deal
> with single quotes (like other databases) and the system is more secure
> because there is no special backslash handling by default.

I can tell you right now this will be a problem :)  There are loads of 
PHP ppl who use addslashes() instead of pg_escape_string() to escape data.

Chris


In response to

Responses

pgsql-hackers by date

Next:From: Mark KirkwoodDate: 2005-05-30 04:19:29
Subject: Re: pg_buffercache causes assertion failure
Previous:From: Bruce MomjianDate: 2005-05-30 04:04:31
Subject: Re: Escape handling in COPY, strings, psql

pgsql-patches by date

Next:From: Mark KirkwoodDate: 2005-05-30 04:19:29
Subject: Re: pg_buffercache causes assertion failure
Previous:From: Bruce MomjianDate: 2005-05-30 04:04:31
Subject: Re: Escape handling in COPY, strings, psql

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group