Re: PQescapestringConn not found in libpq.dll

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: glynastill(at)yahoo(dot)co(dot)uk
Cc: Rafał Ziółkowski <rafzio4(at)wp(dot)pl>, pgsql-general(at)postgresql(dot)org
Subject: Re: PQescapestringConn not found in libpq.dll
Date: 2008-10-17 12:23:12
Message-ID: 14107.1224246192@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Glyn Astill <glynastill(at)yahoo(dot)co(dot)uk> writes:
> Sorry to steer this off the topic a bit, but we have a 3rd party app that insists on using libpq.dll version 8.0.1.5031 and we're on pgsql v 8.3.4.
> Apart from lacking functionality, is there anything else I should be aware of i.e. could this cause us any serious problems?

You really need to have a word with that application vendor.

I count the following noncosmetic patches applied to libpq in the 8.0
branch since 8.0.1. Note that this only covers bugs considered serious
enough to back-patch, not feature improvements that are in more recent
branches.

2008-01-14 13:46 tgl

* doc/src/sgml/protocol.sgml, src/interfaces/libpq/fe-protocol3.c
(REL8_0_STABLE): Fix an ancient oversight in libpq's handling of
V3-protocol COPY OUT mode: we need to be able to swallow NOTICE
messages, and potentially also ParameterStatus messages (although
the latter would be a bit weird), without exiting COPY OUT state.
Fix it, and adjust the protocol documentation to emphasize the need
for this. Per off-list report from Alexander Galler.

2007-07-23 14:12 mha

* src/interfaces/libpq/: fe-auth.c, fe-connect.c, libpq-int.h
(REL8_0_STABLE): The correct min buffer size is
INITIAL_EXPBUFFER_SIZE, not PQERRORMSG_LENGTH.

2006-05-21 16:20 tgl

* doc/src/sgml/libpq.sgml, src/interfaces/libpq/exports.txt,
src/interfaces/libpq/fe-connect.c, src/interfaces/libpq/fe-exec.c,
src/interfaces/libpq/libpq-fe.h, src/interfaces/libpq/libpq-int.h
(REL8_0_STABLE): Modify libpq's string-escaping routines to be
aware of encoding considerations and standard_conforming_strings.
The encoding changes are needed for proper escaping in multibyte
encodings, as per the SQL-injection vulnerabilities noted in
CVE-2006-2313 and CVE-2006-2314. Concurrent fixes are being
applied to the server to ensure that it rejects queries that may
have been corrupted by attempted SQL injection, but this merely
guarantees that unpatched clients will fail rather than allow
injection. An actual fix requires changing the client-side code.
While at it we have also fixed these routines to understand about
standard_conforming_strings, so that the upcoming changeover to
SQL-spec string syntax can be somewhat transparent to client code.

Since the existing API of PQescapeString and PQescapeBytea provides
no way to inform them which settings are in use, these functions
are now deprecated in favor of new functions PQescapeStringConn and
PQescapeByteaConn. The new functions take the PGconn to which the
string will be sent as an additional parameter, and look inside the
connection structure to determine what to do. So as to provide
some functionality for clients using the old functions, libpq
stores the latest encoding and standard_conforming_strings values
received from the backend in static variables, and the old
functions consult these variables. This will work reliably in
clients using only one Postgres connection at a time, or even
multiple connections if they all use the same encoding and string
syntax settings; which should cover many practical scenarios.

Clients that use homebrew escaping methods, such as PHP's
addslashes() function or even hardwired regexp substitution, will
require extra effort to fix :-(. It is strongly recommended that
such code be replaced by use of
PQescapeStringConn/PQescapeByteaConn if at all feasible.

2006-05-21 15:57 momjian

* contrib/dbmirror/DBMirror.pl, contrib/dbmirror/pending.c,
contrib/tsearch/expected/tsearch.out,
contrib/tsearch/sql/tsearch.sql,
contrib/tsearch2/expected/tsearch2.out,
contrib/tsearch2/sql/tsearch2.sql,
src/backend/utils/adt/ruleutils.c, src/bin/initdb/initdb.c,
src/bin/pg_dump/pg_dump.c, src/bin/psql/large_obj.c,
src/interfaces/ecpg/test/test1.pgc, src/interfaces/libpq/fe-exec.c,
src/pl/plpgsql/src/gram.y, src/tutorial/funcs.source
(REL8_0_STABLE): Change \' to '', for SQL standards compliance.
Backpatch to 7.3, 7.4, and 8.0. Later releases already patched.

2006-04-19 12:15 tgl

* src/interfaces/libpq/fe-print.c (REL8_0_STABLE): Fix ancient
memory leak in PQprintTuples(); our code no longer uses this
routine, but perhaps some applications do. Found by Martijn van
Oosterhout using Coverity.

2005-07-13 11:26 tgl

* src/interfaces/libpq/fe-connect.c (REL8_0_STABLE): Fix libpq
memory leak during PQreset() --- closePGconn() was not freeing all
transient state of the PGconn object.

2005-07-08 11:24 tgl

* src/interfaces/libpq/fe-misc.c (REL8_0_STABLE): Make
libpq_gettext save and restore errno in a Windows-compatible way.
Also, back-patch fix into back branches.

2005-05-05 12:36 momjian

* src/interfaces/libpq/fe-connect.c (REL8_0_STABLE): Add
WSACleanup() for Win32 socket cleanup.

Jason Erickson

2005-03-24 19:35 tgl

* configure, configure.in, src/backend/postmaster/pgstat.c,
src/backend/postmaster/postmaster.c, src/include/port.h,
src/interfaces/libpq/Makefile, src/interfaces/libpq/fe-auth.c,
src/interfaces/libpq/fe-connect.c, src/port/noblock.c
(REL8_0_STABLE): Kerberos fixes from Magnus Hagander --- in theory
Kerberos 5 auth should work on Windows now. Also, rename
set_noblock to pg_set_noblock; since it is included in libpq, the
former name polluted application namespace.

2005-03-13 17:04 momjian

* src/interfaces/: ecpg/compatlib/Makefile, ecpg/ecpglib/Makefile,
ecpg/pgtypeslib/Makefile, ecpg/preproc/Makefile, libpq/Makefile
(REL8_0_STABLE): Increment all major version numbers in 8.0.X to
force recompile of client aplications so 7.4.X releases can be
installed on the same machine as 8.0.X.

regards, tom lane

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Mikkel Høgh 2008-10-17 12:25:00 Re: Annoying Reply-To
Previous Message Michael Glaesemann 2008-10-17 12:10:16 Re: Annoying Reply-To