| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Rod Taylor <pg(at)rbt(dot)ca> |
| Cc: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>, PostgreSQL-patches <pgsql-patches(at)postgresql(dot)org>, Christopher Kings-Lynne <chriskl(at)familyhealth(dot)com(dot)au> |
| Subject: | Re: Escape handling in strings |
| Date: | 2005-06-16 12:55:04 |
| Message-ID: | 14648.1118926504@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers pgsql-patches |
Rod Taylor <pg(at)rbt(dot)ca> writes:
> It probably won't be any worse than when '' was rejected for an integer
> 0.
That analogy is *SO* far off the mark that I have to object.
Fooling with quoting rules will not simply cause clean failures, which
is what you got from ''-no-longer-accepted-by-atoi. What it will cause
is formerly valid input being silently interpreted as something else.
That's bad enough, but it gets worse: formerly secure client code may
now be vulnerable to SQL-injection attacks, because it doesn't know how
to quote text properly.
What we are talking about here is an extremely significant change with
extremely serious consequences, and imagining that it is not will be
a recipe for disaster.
I also think that pgsql-patches is not the place to be discussing such
things... it needs a whole lot more visibility.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2005-06-16 12:56:31 | Re: Escape handling in strings |
| Previous Message | Tom Lane | 2005-06-16 12:35:49 | Re: [HACKERS] INHERITS and planning |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2005-06-16 12:56:31 | Re: Escape handling in strings |
| Previous Message | Martin Pitt | 2005-06-16 06:41:54 | Re: Add PG version number to NLS files |