From: | "Jordi" <jordil2(at)hotmail(dot)com> |
---|---|
To: | pgsql-general(at)postgresql(dot)org |
Subject: | Re: Problem with character ' (single quote) in text fields |
Date: | 2002-01-21 13:13:31 |
Message-ID: | a2h3mc$a7u$1@news.tht.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
In my case the data is load from a file (for example a very long list of
Names/FirstNames) so this security concert should be not applicable here
(anyway, thanks by the remark because I have never though about it...).
The best solution for me should be if I could change the "start/end of a
Postgresql string" from the single quote to the double quote (") or a
similar character because now I have to do my own version of PQescapeString
for every text field assuming the ' character could be there. Anyone knows
if is possible to change it without modifying the Postgresql source code?
Thanks,
Jordi
"Einar Karttunen" <ekarttun(at)cs(dot)helsinki(dot)fi> wrote in message
news:20020121113549(dot)GC25853(at)shellak(dot)helsinki(dot)fi(dot)(dot)(dot)
> On 21.01.02 11:42 +0100(+0000), Jordi wrote:
> > Is there any way to change the start/end of Text field character or do
you
> > know a better workaround to avoid parsing/changing all the text fields
just
> > in case they contain the single quote ( ') character??.
> >
> In case the data comes from outside you *must* escape it. Libpq defines a
> function for it called PQescapeString. Consider what would happen if you
> had code like this:
>
> char buf[BUF_SIZE];
> snprintf(buf,BUF_SIZE,"SELECT * FROM mytable WHERE
field='%s';",string_from_user);
> PQexec(con,buf);
>
> now lets say the user would enter a value like
> 0';DELETE FROM mytable;SELECT '1
> and the db would see
> SELECT * FROM mytable WHERE field='0';DELETE FROM mytable;SELECT '1';
>
> - Einar Karttunen
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
> http://archives.postgresql.org
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2002-01-21 13:29:33 | Re: [HACKERS] PostgreSQL Licence: GNU/GPL |
Previous Message | Bruce Momjian | 2002-01-21 13:12:33 | Re: [HACKERS] PostgreSQL Licence: GNU/GPL |