| From: | Christopher Kings-Lynne <chriskl(at)familyhealth(dot)com(dot)au> |
|---|---|
| To: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Peter Eisentraut <peter_e(at)gmx(dot)net>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Sergey Ten <sergey(at)sourcelabs(dot)com>, jason(at)sourcelabs(dot)com |
| Subject: | Re: Escape handling in COPY, strings, psql |
| Date: | 2005-05-30 04:10:46 |
| Message-ID: | 429A9246.7030902@familyhealth.com.au |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers pgsql-patches |
> I think we can tell people in 8.1 that they should modify their
> applications to only use '', and that \' might be a security problem in
> the future. If we get to that then using ESC or not only affects input
> of values and literal backslashes being entered, and my guess is that
> 90% of the backslash entries that want escaping are literal in the
> application and not supplied by program variables. In fact, if we
> disable backslash by default then strings coming in only have to deal
> with single quotes (like other databases) and the system is more secure
> because there is no special backslash handling by default.
I can tell you right now this will be a problem :) There are loads of
PHP ppl who use addslashes() instead of pg_escape_string() to escape data.
Chris
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Mark Kirkwood | 2005-05-30 04:19:29 | Re: pg_buffercache causes assertion failure |
| Previous Message | Bruce Momjian | 2005-05-30 04:04:31 | Re: Escape handling in COPY, strings, psql |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Mark Kirkwood | 2005-05-30 04:19:29 | Re: pg_buffercache causes assertion failure |
| Previous Message | Bruce Momjian | 2005-05-30 04:04:31 | Re: Escape handling in COPY, strings, psql |