Re: Escaping strings for inclusion into SQL queries
От | Joe Conway |
---|---|
Тема | Re: Escaping strings for inclusion into SQL queries |
Дата | |
Msg-id | 01c701c13a8a$adf7f190$0705a8c0@jecw2k1 обсуждение исходный текст |
Ответ на | Re: Escaping strings for inclusion into SQL queries (Bruce Momjian <pgman@candle.pha.pa.us>) |
Ответы |
Re: Escaping strings for inclusion into SQL queries
|
Список | pgsql-hackers |
> Patch applied. Thanks. > > > Bruce Momjian <pgman@candle.pha.pa.us> writes: > > > > > Patch removed at the request of the author. Author will resubmit. > > > > I've attached the fixed version of the patch below. After the > > discussion on pgsql-hackers (especially the frightening memory dump in > > <12273.999562219@sss.pgh.pa.us>), we decided that it is best not to > > use identifiers from an untrusted source at all. Therefore, all > > claims of the suitability of PQescapeString() for identifiers have > > been removed. I found a problem with PQescapeString (I think). Since it escapes null bytes to be literally '\0', the following can happen: 1. User inputs string value as "<null byte>##" where ## are digits in the range of 0 to 7. 2. PQescapeString converts this to "\0##" 3. Escaped string is used in a context that causes "\0##" to be evaluated as an octal escape sequence. For example, if the user enters a null byte followed by "47", and escapes it, it becomes "\071" which gets translated into a single digit "9" by the general parser. Along the same lines, if there is a null byte in a string, and it is not followed by digits, the resulting "\0" gets converted back into a null byte by the parser and the string gets truncated. If the goal is to "safely" encode null bytes, and preserve the rest of the string as it was entered, I think the null bytes should be escaped as \\000 (note that if you simply use \000 the same string truncation problem occurs). -- Joe
В списке pgsql-hackers по дате отправления: