Skip site navigation (1) Skip section navigation (2)

Re: PQescapeIdentifier

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Christopher Kings-Lynne <chris(dot)kings-lynne(at)calorieking(dot)com>
Cc: Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: PQescapeIdentifier
Date: 2006-05-31 03:08:38
Message-ID: 5991.1149044918@sss.pgh.pa.us (view raw or flat)
Thread:
Lists: pgsql-hackers
Christopher Kings-Lynne <chris(dot)kings-lynne(at)calorieking(dot)com> writes:
> Here's a question. I wish to add a function to libpq to escape 
> PostgreSQL identifiers.  Will this function be subject to the same 
> security/encoding issues as PQescapeString?

Is this of any general-purpose use?  How many apps are really prepared
to let an untrusted user dictate which columns are selected/compared?

But to answer your question, yes, I can certainly imagine
encoding-related risks...

			regards, tom lane

In response to

Responses

pgsql-hackers by date

Next:From: Christopher Kings-LynneDate: 2006-05-31 03:15:58
Subject: Re: PQescapeIdentifier
Previous:From: Christopher Kings-LynneDate: 2006-05-31 02:50:24
Subject: PQescapeIdentifier

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group