Re: Escaping strings for inclusion into SQL queries

Perhaps I'm not thinking correctly but isn't it the job of the application
that's using the libpq library to escape special characters? I guess I don't
see a down side though, if it's implemented correctly to check and see if
characters are already escaped before escaping them (else major breakage of
existing application would occur).. I didn't see the patch but I assume that
someone took a look to make sure before applying it.


-Mitch

----- Original Message -----
From: "Bruce Momjian" <pgman@candle.pha.pa.us>
To: "Florian Weimer" <Florian.Weimer@rus.uni-stuttgart.de>
Cc: <pgsql-hackers@postgresql.org>
Sent: Thursday, August 30, 2001 6:43 PM
Subject: Re: [HACKERS] Escaping strings for inclusion into SQL queries


> > Florian Weimer <Florian.Weimer@rus.uni-stuttgart.de> writes:
> >
> > > We therefore suggest that a string escaping function is included in a
> > > future version of PostgreSQL and libpq.  A sample implementation is
> > > provided below, along with documentation.
> >
> > We have now released a description of the problems which occur when a
> > string escaping function is not used:
> >
> > http://cert.uni-stuttgart.de/advisories/apache_auth.php
> >
> > What further steps are required to make the suggested patch part of
> > the official libpq library?
>
> Will be applied soon.  I was waiting for comments before adding it to
> the patch queue.