Skip site navigation (1) Skip section navigation (2)

Re: Escaping strings for inclusion into SQL queries

From: Peter Eisentraut <peter_e(at)gmx(dot)net>
To: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
Cc: Florian Weimer <Florian(dot)Weimer(at)RUS(dot)Uni-Stuttgart(dot)DE>, <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Escaping strings for inclusion into SQL queries
Date: 2001-09-01 07:53:48
Message-ID: Pine.LNX.4.30.0109010953050.722-100000@peter.localdomain (view raw or flat)
Thread:
Lists: pgsql-hackers
For consistency with the rest of the libpq API, the function should be
called PQescapeString, not PGescapeString.

Bruce Momjian writes:

>
> Your patch has been added to the PostgreSQL unapplied patches list at:
>
> 	http://candle.pha.pa.us/cgi-bin/pgpatches
>
> I will try to apply it within the next 48 hours.
>
> > It has come to our attention that many applications which use libpq
> > are vulnerable to code insertion attacks in strings and identifiers
> > passed to these applications.  We have collected some evidence which
> > suggests that this is related to the fact that libpq does not provide
> > a function to escape strings and identifiers properly.  (Both the
> > Oracle and MySQL client libraries include such a function, and the
> > vast majority of applications we examined are not vulnerable to code
> > insertion attacks because they use this function.)
> >
> > We therefore suggest that a string escaping function is included in a
> > future version of PostgreSQL and libpq.  A sample implementation is
> > provided below, along with documentation.
> >
> > --
> > Florian Weimer 	                  Florian(dot)Weimer(at)RUS(dot)Uni-Stuttgart(dot)DE
> > University of Stuttgart           http://cert.uni-stuttgart.de/
> > RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898
>
> [ Attachment, skipping... ]
>
> [ Attachment, skipping... ]
>
> [ Attachment, skipping... ]
>
> >
> > ---------------------------(end of broadcast)---------------------------
> > TIP 2: you can get off all lists at once with the unregister command
> >     (send "unregister YourEmailAddressHere" to majordomo(at)postgresql(dot)org)
>
>

-- 
Peter Eisentraut   peter_e(at)gmx(dot)net   http://funkturm.homeip.net/~peter


In response to

pgsql-hackers by date

Next:From: Peter EisentrautDate: 2001-09-01 07:57:00
Subject: Re: Re: Escaping strings for inclusion into SQL queries
Previous:From: Command Prompt, Inc.Date: 2001-09-01 02:28:50
Subject: [PATCHES] to_char and Roman Numeral (RN) bug

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group