Skip site navigation (1) Skip section navigation (2)

Re: Escaping strings for inclusion into SQL queries

From: Florian Weimer <Florian(dot)Weimer(at)RUS(dot)Uni-Stuttgart(dot)DE>
To: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: Escaping strings for inclusion into SQL queries
Date: 2001-09-04 18:42:47
Message-ID: tg66ay94rc.fsf@mercury.rus.uni-stuttgart.de (view raw or flat)
Thread:
Lists: pgsql-hackers
Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> writes:

> Patch removed at the request of the author.  Author will resubmit.

I've attached the fixed version of the patch below.  After the
discussion on pgsql-hackers (especially the frightening memory dump in
<12273(dot)999562219(at)sss(dot)pgh(dot)pa(dot)us>), we decided that it is best not to
use identifiers from an untrusted source at all.  Therefore, all
claims of the suitability of PQescapeString() for identifiers have
been removed.

-- 
Florian Weimer 	                  Florian(dot)Weimer(at)RUS(dot)Uni-Stuttgart(dot)DE
University of Stuttgart           http://cert.uni-stuttgart.de/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

In response to

Responses

pgsql-hackers by date

Next:From: Mike CianfloneDate: 2001-09-04 19:05:28
Subject: Referential Integrity Stress Problem
Previous:From: Tom LaneDate: 2001-09-04 18:24:16
Subject: Re: Bad behaviour when inserting unspecified variable length datatypes

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group