| From: | Florian Weimer <Florian(dot)Weimer(at)RUS(dot)Uni-Stuttgart(dot)DE> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Re: Escaping strings for inclusion into SQL queries |
| Date: | 2001-09-03 16:03:37 |
| Message-ID: | tgheukl0rq.fsf@mercury.rus.uni-stuttgart.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
> Florian Weimer writes:
>
> > The first version escaped ' with ''. I changed it when I noticed that
> > if \' is used instead, the same function can be used for strings
> > ('...') and identifiers ("...").
>
> Last time I checked (15 seconds ago), you could not escape " with \ in
> PostgreSQL. The identifer parsing rules are a bit different from strings.
Yes, we misread the lexer description. I'm sorry about that.
In addition, there seems to be a bug in the treatment of "" escapes in
identifiers. 'SELECT """";' yields the error message 'Attribute '""'
not found ' (not '"'!) or even 'Attribute '""\' not found', depending
on the queries executed before.
For identifiers, comparing the characters to a white list is probably
a more reasonable approach.
--
Florian Weimer Florian(dot)Weimer(at)RUS(dot)Uni-Stuttgart(dot)DE
University of Stuttgart http://cert.uni-stuttgart.de/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephan Szabo | 2001-09-03 17:43:06 | Re: INDEX BUG??? |
| Previous Message | Marc G. Fournier | 2001-09-03 15:46:29 | ignore ... |