Re: Problem with character ' (single quote) in text fields

From: Einar Karttunen <ekarttun(at)cs(dot)helsinki(dot)fi>
To: Jordi <jordil2(at)hotmail(dot)com>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: Problem with character ' (single quote) in text fields
Date: 2002-01-21 11:35:49
Message-ID: 20020121113549.GC25853@shellak.helsinki.fi
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On 21.01.02 11:42 +0100(+0000), Jordi wrote:
> Is there any way to change the start/end of Text field character or do you
> know a better workaround to avoid parsing/changing all the text fields just
> in case they contain the single quote ( ') character??.
>
In case the data comes from outside you *must* escape it. Libpq defines a
function for it called PQescapeString. Consider what would happen if you
had code like this:

char buf[BUF_SIZE];
snprintf(buf,BUF_SIZE,"SELECT * FROM mytable WHERE field='%s';",string_from_user);
PQexec(con,buf);

now lets say the user would enter a value like
0';DELETE FROM mytable;SELECT '1
and the db would see
SELECT * FROM mytable WHERE field='0';DELETE FROM mytable;SELECT '1';

- Einar Karttunen

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message tony 2002-01-21 12:08:53 aaaaaargggggghhhhhh!!!!!!
Previous Message Jordi 2002-01-21 10:42:12 Problem with character ' (single quote) in text fields