| From: | michael <michael(at)galton(dot)ucl(dot)ac(dot)uk> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: BUG #2228: escaped single quotes choke spi_exec_query in |
| Date: | 2006-02-01 15:32:40 |
| Message-ID: | 20060201153005.O85967@ash.gene.ucl.ac.uk |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Wed, 1 Feb 2006, Tom Lane wrote:
> "Michael Lush" <michael(at)galton(dot)ucl(dot)ac(dot)uk> writes:
> > CREATE OR REPLACE FUNCTION quote_bug(text) RETURNS text AS
> > $$
> > $data = $_[0];
>
> > $sql = "SELECT *
> > FROM test
> > WHERE foo = '$data'";
>
> > $rv_unique = spi_exec_query($sql);
>
> It's hardly a bug that you get a syntax error when $data contains
> a single quote. It's up to you to construct a well-formed query
> string to give to spi_exec_query, and this code is not doing that.
>
> regards, tom lane
As I understand it the input strings are correctly escaped
INSERT INTO test VALUES ('No problem here');
INSERT INTO test VALUES ('It''s a problem here');
INSERT INTO test VALUES ('It\'s also a problem here');
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Michael John Lush PhD Tel:44-20-7679-5027
Nomenclature Bioinformatician Fax:44-20-7387-3496
HUGO Gene Nomenclature Committee Email: nome(at)galton(dot)ucl(dot)ac(dot)uk
The Galton Laboratory
University College London, UK
URL: http://www.gene.ucl.ac.uk/nomenclature/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2006-02-01 15:38:29 | Re: BUG #2228: escaped single quotes choke spi_exec_query in plperlu |
| Previous Message | Tom Lane | 2006-02-01 15:28:04 | Re: BUG #2229: Parsing error in Functions Grant Wizard |