From: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Rod Taylor <pg(at)rbt(dot)ca>, Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Christopher Kings-Lynne <chriskl(at)familyhealth(dot)com(dot)au> |
Subject: | Re: [PATCHES] Escape handling in strings |
Date: | 2005-06-16 15:25:23 |
Message-ID: | 42B199E3.8000102@dunslane.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers pgsql-patches |
[switched to -hackers]
Tom Lane wrote:
>Rod Taylor <pg(at)rbt(dot)ca> writes:
>
>
>>It probably won't be any worse than when '' was rejected for an integer
>>0.
>>
>>
>
>That analogy is *SO* far off the mark that I have to object.
>
>Fooling with quoting rules will not simply cause clean failures, which
>is what you got from ''-no-longer-accepted-by-atoi. What it will cause
>is formerly valid input being silently interpreted as something else.
>That's bad enough, but it gets worse: formerly secure client code may
>now be vulnerable to SQL-injection attacks, because it doesn't know how
>to quote text properly.
>
>What we are talking about here is an extremely significant change with
>extremely serious consequences, and imagining that it is not will be
>a recipe for disaster.
>
>
>
>
All true. Conversely, there does need to be a path for us to get to
standard behaviour.
I think we're going to need to provide for switchable behaviour, as ugly
as that might be (looking briefly at scan.l it looks like the simplest
way would be a separate state for being inside standard strings, with
the choice of state being made conditionally in the {xqstart} rule).
We can't just break backwards compatibility overnight like this.
cheers
andrew
From | Date | Subject | |
---|---|---|---|
Next Message | Hans-Jürgen Schönig | 2005-06-16 15:29:47 | Re: Autovacuum in the backend |
Previous Message | Alvaro Herrera | 2005-06-16 15:11:20 | Re: Autovacuum in the backend |
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2005-06-16 16:00:41 | Re: [PATCHES] Escape handling in strings |
Previous Message | Christof Petig | 2005-06-16 14:45:58 | Re: libecpg (8.0 and CVS) hits a gcc bug on powerpc |