Re: Escaping strings for inclusion into SQL queries

Perhaps I'm not thinking correctly but isn't it the job of the application
that's using the libpq library to escape special characters? I guess I don't
see a down side though, if it's implemented correctly to check and see if
characters are already escaped before escaping them (else major breakage of
existing application would occur).. I didn't see the patch but I assume that
someone took a look to make sure before applying it.

-Mitch

----- Original Message -----
From: "Bruce Momjian" <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: "Florian Weimer" <Florian(dot)Weimer(at)rus(dot)uni-stuttgart(dot)de>
Cc: <pgsql-hackers(at)postgresql(dot)org>
Sent: Thursday, August 30, 2001 6:43 PM
Subject: Re: [HACKERS] Escaping strings for inclusion into SQL queries

> > Florian Weimer <Florian(dot)Weimer(at)rus(dot)uni-stuttgart(dot)de> writes:
> >
> > > We therefore suggest that a string escaping function is included in a
> > > future version of PostgreSQL and libpq. A sample implementation is
> > > provided below, along with documentation.
> >
> > We have now released a description of the problems which occur when a
> > string escaping function is not used:
> >
> > http://cert.uni-stuttgart.de/advisories/apache_auth.php
> >
> > What further steps are required to make the suggested patch part of
> > the official libpq library?
>
> Will be applied soon. I was waiting for comments before adding it to
> the patch queue.