Re: [PATCHES] Escape handling in strings

[switched to -hackers]

Tom Lane wrote:

>Rod Taylor <pg(at)rbt(dot)ca> writes:
>
>
>>It probably won't be any worse than when '' was rejected for an integer
>>0.
>>
>>
>
>That analogy is *SO* far off the mark that I have to object.
>
>Fooling with quoting rules will not simply cause clean failures, which
>is what you got from ''-no-longer-accepted-by-atoi. What it will cause
>is formerly valid input being silently interpreted as something else.
>That's bad enough, but it gets worse: formerly secure client code may
>now be vulnerable to SQL-injection attacks, because it doesn't know how
>to quote text properly.
>
>What we are talking about here is an extremely significant change with
>extremely serious consequences, and imagining that it is not will be
>a recipe for disaster.
>
>
>
>
All true. Conversely, there does need to be a path for us to get to
standard behaviour.

I think we're going to need to provide for switchable behaviour, as ugly
as that might be (looking briefly at scan.l it looks like the simplest
way would be a separate state for being inside standard strings, with
the choice of state being made conditionally in the {xqstart} rule).

We can't just break backwards compatibility overnight like this.

cheers

andrew