Re: BUG #15474: Special character escape sequences need better documentation, or more easily found documentation

From: Heikki Linnakangas <hlinnaka(at)iki(dot)fi>
To: Andrew Gierth <andrew(at)tao11(dot)riddles(dot)org(dot)uk>, pgsql-bugs(at)lists(dot)postgresql(dot)org, bubthegreat(at)gmail(dot)com
Subject: Re: BUG #15474: Special character escape sequences need better documentation, or more easily found documentation
Date: 2018-11-01 07:13:02
Message-ID: 7eeb26ab-dd75-f1d6-f171-975c2d309120@iki.fi
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

On 31/10/2018 18:51, Andrew Gierth wrote:
>>>>>> "PG" == PG Bug reporting form <noreply(at)postgresql(dot)org> writes:
>
> PG> A simple table elaborating on the escapes for each special
> PG> character would be incredibly helpful at determining how to
> PG> translate those escapes for cleaning strings prior to insertion so
> PG> those of us using postgresql can quickly write cleaning functions
> PG> for data.
>
> If you're "writing cleaning functions" you're already making a serious
> mistake, because you should be passing data values as parameters (which
> do not require escapes) rather than interpolating into the query string.
>
> If you actually do need to interpolate into the query string for some
> reason (like doing COPY or other utility statement that doesn't support
> parameters), then you should be using the quote/escape functions
> provided by the driver for your client language (e.g. in libpq there is
> PQescapeStringConn).

Agreed. As pointed out in this report, though, the documentation doesn't
say that. This section is part of the "Lexical structure" chapter, so
it's perhaps more aimed at people writing drivers or SQL code
generators, than general application authors. But when someone like the
OP lands on that page, how can he tell?

It might be a good idea to add a note somewhere in there along the lines of:

"NOTE: All popular client libraries have functions for correctly quoting
and escaping user input, for use in string literals or SQL identifiers.
Most applications should use those, or use out-of-band query parameters,
instead of trying to follow the rules explained here directly. Please
refer to the documentation of your programming language or driver on how
to do that. The libpq quoting/escaping functions are explained in
https://www.postgresql.org/docs/current/static/libpq-exec.html#LIBPQ-EXEC-ESCAPE-STRING".

- Heikki

In response to

Browse pgsql-bugs by date

  From Date Subject
Next Message Pavel Stehule 2018-11-01 07:27:24 Re: BUG #15477: Procedure call with named inout refcursor parameter - "invalid input syntax for type boolean" error
Previous Message PG Bug reporting form 2018-11-01 07:12:19 BUG #15478: 配置文件 pg_hba.conf 异常