Re: Re: Escaping strings for inclusion into SQL queries

OK, can you supply an updated patch?

> Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
>
> > Florian Weimer writes:
> >
> > > The first version escaped ' with ''. I changed it when I noticed that
> > > if \' is used instead, the same function can be used for strings
> > > ('...') and identifiers ("...").
> >
> > Last time I checked (15 seconds ago), you could not escape " with \ in
> > PostgreSQL. The identifer parsing rules are a bit different from strings.
>
> Yes, we misread the lexer description. I'm sorry about that.
>
> In addition, there seems to be a bug in the treatment of "" escapes in
> identifiers. 'SELECT """";' yields the error message 'Attribute '""'
> not found ' (not '"'!) or even 'Attribute '""\' not found', depending
> on the queries executed before.
>
> For identifiers, comparing the characters to a white list is probably
> a more reasonable approach.
>
> --
> Florian Weimer Florian(dot)Weimer(at)RUS(dot)Uni-Stuttgart(dot)DE
> University of Stuttgart http://cert.uni-stuttgart.de/
> RUS-CERT +49-711-685-5973/fax +49-711-685-5898
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
>
> http://www.postgresql.org/users-lounge/docs/faq.html
>

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026