Re: BUG #5304: psql using conninfo fails in connecting to the server

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Fujii Masao <masao(dot)fujii(at)gmail(dot)com>
Cc: Joe Conway <mail(at)joeconway(dot)com>, Heikki Linnakangas <heikki(dot)linnakangas(at)enterprisedb(dot)com>, pgsql-bugs(at)postgresql(dot)org
Subject: Re: BUG #5304: psql using conninfo fails in connecting to the server
Date: 2010-02-03 02:10:57
Message-ID: 14396.1265163057@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs pgsql-hackers

Fujii Masao <masao(dot)fujii(at)gmail(dot)com> writes:
> On Wed, Feb 3, 2010 at 10:05 AM, Joe Conway <mail(at)joeconway(dot)com> wrote:
>> Objections?

> I think that PQconnectdbParams() rather than psql should handle the
> dbname containing "=". Otherwise whenever we use PQconnectdbParams(),
> we would have to check for the content of the dbname before calling
> it in the future application. Which looks very messy for me.

Yeah, I just complained about the same thing. However I don't think
we should make PQconnectdbParams do that unconditionally. In a lot of
applications, it is a key advantage of PQconnectdbParams that there's
no possibility of funny characters in the arguments resulting in "SQL
injection", ie, somebody being able to set connection parameters they
weren't supposed to. Even without any malicious intent, having to
think about quoting and so forth destroys a lot of the value.

Since we haven't yet released PQconnectdbParams, it's not too late
to twiddle its API. What I'm thinking about is an additional
boolean parameter "expand_dbname", which only if true would enable
treating an equal-sign-containing dbname like a conninfo string.
Passing true would be okay for command-line apps where the user is
supposed to control all the conn parameters anyway, but apps that
want more security would pass false.

We should also give more than zero thought to how values coming from the
expanded dbname should interact with values from other arguments to
PQconnectdbParams --- which should override which? And should there be
an order dependency?

regards, tom lane

In response to

Responses

Browse pgsql-bugs by date

  From Date Subject
Next Message Joe Conway 2010-02-03 02:25:27 Re: BUG #5304: psql using conninfo fails in connecting to the server
Previous Message Joe Conway 2010-02-03 02:05:49 Re: BUG #5304: psql using conninfo fails in connecting to the server

Browse pgsql-hackers by date

  From Date Subject
Next Message Joe Conway 2010-02-03 02:25:27 Re: BUG #5304: psql using conninfo fails in connecting to the server
Previous Message Joe Conway 2010-02-03 02:05:49 Re: BUG #5304: psql using conninfo fails in connecting to the server