| From: | "Matt Van Mater" <nutter_(at)hotmail(dot)com> |
|---|---|
| To: | tgl(at)sss(dot)pgh(dot)pa(dot)us |
| Cc: | pgsql-sql(at)postgresql(dot)org |
| Subject: | Re: how to preserve \n in select statement |
| Date: | 2003-12-20 17:58:39 |
| Message-ID: | BAY9-F42t0CI76rOJhK00098f93@hotmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-sql |
>Because you are using an input syntax that requires that quotes and
>backslashes be escaped. There are other input methods available that
>don't require this, but they have disadvantages of their own. In
>particular, you have to separate data from SQL command if you want a
>no-escape-processing behavior for data.
right, I was looking for the alternate input methods that you allude to. I
have been unable to find an example of exactly how to do this.
> > I think this behavior stems from a security problem psql had a while
> > back where escape characters were being interpreted, and this may be
> > another instance of that functionality.
>Matt, you have no idea what you are talking about.
I readily admit that I didn't read much into it, but I think you are
mistaken. If you look at the following links you will see that postgresql
definitely had a vulnerability that allowed sql injection through the use of
escape characters. I was simply saying that this behavior might be a way of
preventing that from happening again.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0802
http://cert.uni-stuttgart.de/doc/postgresql/escape/
_________________________________________________________________
Get dial-up Internet access now with our best offer: 6 months @$9.95/month!
http://join.msn.com/?page=dept/dialup
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2003-12-20 18:35:26 | Re: how to preserve \n in select statement |
| Previous Message | Tom Lane | 2003-12-20 04:45:47 | Re: how to preserve \n in select statement |