Re: Escaping strings for inclusion into SQL queries

From: Alex Pilosov <alex(at)pilosoft(dot)com>
To: Mitch Vincent <mvincent(at)cablespeed(dot)com>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: Escaping strings for inclusion into SQL queries
Date: 2001-08-30 23:32:58
Message-ID: Pine.BSO.4.10.10108301931440.19501-100000@spider.pilosoft.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

It is. Application is responsible to call PGescapeString (included in the
patch in question) to escape command that may possibly have user-specified
data... This function isn't called automatically.

On Thu, 30 Aug 2001, Mitch Vincent wrote:

> Perhaps I'm not thinking correctly but isn't it the job of the application
> that's using the libpq library to escape special characters? I guess I don't
> see a down side though, if it's implemented correctly to check and see if
> characters are already escaped before escaping them (else major breakage of
> existing application would occur).. I didn't see the patch but I assume that
> someone took a look to make sure before applying it.
>
>
> -Mitch
>
> ----- Original Message -----
> From: "Bruce Momjian" <pgman(at)candle(dot)pha(dot)pa(dot)us>
> To: "Florian Weimer" <Florian(dot)Weimer(at)rus(dot)uni-stuttgart(dot)de>
> Cc: <pgsql-hackers(at)postgresql(dot)org>
> Sent: Thursday, August 30, 2001 6:43 PM
> Subject: Re: [HACKERS] Escaping strings for inclusion into SQL queries
>
>
> > > Florian Weimer <Florian(dot)Weimer(at)rus(dot)uni-stuttgart(dot)de> writes:
> > >
> > > > We therefore suggest that a string escaping function is included in a
> > > > future version of PostgreSQL and libpq. A sample implementation is
> > > > provided below, along with documentation.
> > >
> > > We have now released a description of the problems which occur when a
> > > string escaping function is not used:
> > >
> > > http://cert.uni-stuttgart.de/advisories/apache_auth.php
> > >
> > > What further steps are required to make the suggested patch part of
> > > the official libpq library?
> >
> > Will be applied soon. I was waiting for comments before adding it to
> > the patch queue.
>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
> http://www.postgresql.org/search.mpl
>
>

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Florian Weimer 2001-08-31 00:37:26 Re: Escaping strings for inclusion into SQL queries
Previous Message Mitch Vincent 2001-08-30 23:07:36 Re: Escaping strings for inclusion into SQL queries