Skip site navigation (1) Skip section navigation (2)

Re: Escaping strings for inclusion into SQL queries

From: Florian Weimer <Florian(dot)Weimer(at)RUS(dot)Uni-Stuttgart(dot)DE>
To: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: Escaping strings for inclusion into SQL queries
Date: 2001-09-04 18:42:47
Message-ID: (view raw or whole thread)
Lists: pgsql-hackers
Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> writes:

> Patch removed at the request of the author.  Author will resubmit.

I've attached the fixed version of the patch below.  After the
discussion on pgsql-hackers (especially the frightening memory dump in
<12273(dot)999562219(at)sss(dot)pgh(dot)pa(dot)us>), we decided that it is best not to
use identifiers from an untrusted source at all.  Therefore, all
claims of the suitability of PQescapeString() for identifiers have
been removed.

Florian Weimer 	                  Florian(dot)Weimer(at)RUS(dot)Uni-Stuttgart(dot)DE
University of Stuttgart 
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

In response to


pgsql-hackers by date

Next:From: Mike CianfloneDate: 2001-09-04 19:05:28
Subject: Referential Integrity Stress Problem
Previous:From: Tom LaneDate: 2001-09-04 18:24:16
Subject: Re: Bad behaviour when inserting unspecified variable length datatypes

Privacy Policy | About PostgreSQL
Copyright © 1996-2015 The PostgreSQL Global Development Group