Re: Escaping strings for inclusion into SQL queries
| От | Mitch Vincent |
|---|---|
| Тема | Re: Escaping strings for inclusion into SQL queries |
| Дата | |
| Msg-id | 002301c131bc$193c7610$be615dd8@mitch обсуждение исходный текст |
| Ответ на | Re: Escaping strings for inclusion into SQL queries (Alex Pilosov <alex@pilosoft.com>) |
| Список | pgsql-hackers |
Ok, I misudnerstood, I had long included my own escaping function in programs that used libpq, I thought the intent was to make escaping happen automatically.. Thanks! -Mitch ----- Original Message ----- From: "Alex Pilosov" <alex@pilosoft.com> To: "Mitch Vincent" <mvincent@cablespeed.com> Cc: <pgsql-hackers@postgresql.org> Sent: Thursday, August 30, 2001 7:32 PM Subject: Re: [HACKERS] Escaping strings for inclusion into SQL queries > It is. Application is responsible to call PGescapeString (included in the > patch in question) to escape command that may possibly have user-specified > data... This function isn't called automatically. > > On Thu, 30 Aug 2001, Mitch Vincent wrote: > > > Perhaps I'm not thinking correctly but isn't it the job of the application > > that's using the libpq library to escape special characters? I guess I don't > > see a down side though, if it's implemented correctly to check and see if > > characters are already escaped before escaping them (else major breakage of > > existing application would occur).. I didn't see the patch but I assume that > > someone took a look to make sure before applying it. > > > > > > -Mitch > > > > ----- Original Message ----- > > From: "Bruce Momjian" <pgman@candle.pha.pa.us> > > To: "Florian Weimer" <Florian.Weimer@rus.uni-stuttgart.de> > > Cc: <pgsql-hackers@postgresql.org> > > Sent: Thursday, August 30, 2001 6:43 PM > > Subject: Re: [HACKERS] Escaping strings for inclusion into SQL queries > > > > > > > > Florian Weimer <Florian.Weimer@rus.uni-stuttgart.de> writes: > > > > > > > > > We therefore suggest that a string escaping function is included in a > > > > > future version of PostgreSQL and libpq. A sample implementation is > > > > > provided below, along with documentation. > > > > > > > > We have now released a description of the problems which occur when a > > > > string escaping function is not used: > > > > > > > > http://cert.uni-stuttgart.de/advisories/apache_auth.php > > > > > > > > What further steps are required to make the suggested patch part of > > > > the official libpq library? > > > > > > Will be applied soon. I was waiting for comments before adding it to > > > the patch queue. > > > > > > > > ---------------------------(end of broadcast)--------------------------- > > TIP 6: Have you searched our list archives? > > > > http://www.postgresql.org/search.mpl > > > > > > > ---------------------------(end of broadcast)--------------------------- > TIP 5: Have you checked our extensive FAQ? > > http://www.postgresql.org/users-lounge/docs/faq.html >
В списке pgsql-hackers по дате отправления: