Skip site navigation (1) Skip section navigation (2)

Re: Re: Escaping strings for inclusion into SQL queries

From: Florian Weimer <Florian(dot)Weimer(at)RUS(dot)Uni-Stuttgart(dot)DE>
To: pgsql-hackers(at)postgresql(dot)org
Subject: Re: Re: Escaping strings for inclusion into SQL queries
Date: 2001-09-03 16:03:37
Message-ID: tgheukl0rq.fsf@mercury.rus.uni-stuttgart.de (view raw or flat)
Thread:
Lists: pgsql-hackers
Peter Eisentraut <peter_e(at)gmx(dot)net> writes:

> Florian Weimer writes:
> 
> > The first version escaped ' with ''.  I changed it when I noticed that
> > if \' is used instead, the same function can be used for strings
> > ('...') and identifiers ("...").
> 
> Last time I checked (15 seconds ago), you could not escape " with \ in
> PostgreSQL.  The identifer parsing rules are a bit different from strings.

Yes, we misread the lexer description.  I'm sorry about that.

In addition, there seems to be a bug in the treatment of "" escapes in
identifiers. 'SELECT """";' yields the error message 'Attribute '""'
not found ' (not '"'!) or even 'Attribute '""\' not found', depending
on the queries executed before.

For identifiers, comparing the characters to a white list is probably
a more reasonable approach.

-- 
Florian Weimer 	                  Florian(dot)Weimer(at)RUS(dot)Uni-Stuttgart(dot)DE
University of Stuttgart           http://cert.uni-stuttgart.de/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

In response to

Responses

pgsql-hackers by date

Next:From: Stephan SzaboDate: 2001-09-03 17:43:06
Subject: Re: INDEX BUG???
Previous:From: Marc G. FournierDate: 2001-09-03 15:46:29
Subject: ignore ...

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group