From: | Florian Weimer <Florian(dot)Weimer(at)RUS(dot)Uni-Stuttgart(dot)DE> |
---|---|
To: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
Cc: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Escaping strings for inclusion into SQL queries |
Date: | 2001-09-04 18:42:47 |
Message-ID: | tg66ay94rc.fsf@mercury.rus.uni-stuttgart.de |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> writes:
> Patch removed at the request of the author. Author will resubmit.
I've attached the fixed version of the patch below. After the
discussion on pgsql-hackers (especially the frightening memory dump in
<12273(dot)999562219(at)sss(dot)pgh(dot)pa(dot)us>), we decided that it is best not to
use identifiers from an untrusted source at all. Therefore, all
claims of the suitability of PQescapeString() for identifiers have
been removed.
--
Florian Weimer Florian(dot)Weimer(at)RUS(dot)Uni-Stuttgart(dot)DE
University of Stuttgart http://cert.uni-stuttgart.de/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898
From | Date | Subject | |
---|---|---|---|
Next Message | Mike Cianflone | 2001-09-04 19:05:28 | Referential Integrity Stress Problem |
Previous Message | Tom Lane | 2001-09-04 18:24:16 | Re: Bad behaviour when inserting unspecified variable length datatypes |