| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Oliver Kindernay <oliver(dot)kindernay(at)gmail(dot)com> |
| Cc: | pgsql-novice(at)postgresql(dot)org |
| Subject: | Re: PQescapeStringConn problem |
| Date: | 2010-05-15 17:13:32 |
| Message-ID: | 14249.1273943612@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-novice |
Oliver Kindernay <oliver(dot)kindernay(at)gmail(dot)com> writes:
> Hi. I am using libpq in my C application to comunicate with database.
> Application gets input from untrustworthy source and then uses it in
> SQL requests. To avoid SQL injection I want to use PQescapeStringConn
> function. The problem is, that i don't know how to properly use this
> function.
> http://www.postgresql.org/docs/7.3/static/libpq-exec.html#LIBPQ-EXEC-ESCAPE-STRING
> How can I know the size of "to" buffer before I call this function?
I trust you're not *really* using Postgres 7.3? But in any case,
that documentation says
to shall point to a buffer that is able to hold at least one more byte
than twice the value of length
ie maximum output is 2 bytes per input byte, plus a null terminator.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Oliver Kindernay | 2010-05-15 18:48:00 | Re: PQescapeStringConn problem |
| Previous Message | Oliver Kindernay | 2010-05-15 17:01:19 | PQescapeStringConn problem |