[switched to -hackers]
Tom Lane wrote:
>Rod Taylor <pg@rbt.ca> writes:
>
>
>>It probably won't be any worse than when '' was rejected for an integer
>>0.
>>
>>
>
>That analogy is *SO* far off the mark that I have to object.
>
>Fooling with quoting rules will not simply cause clean failures, which
>is what you got from ''-no-longer-accepted-by-atoi. What it will cause
>is formerly valid input being silently interpreted as something else.
>That's bad enough, but it gets worse: formerly secure client code may
>now be vulnerable to SQL-injection attacks, because it doesn't know how
>to quote text properly.
>
>What we are talking about here is an extremely significant change with
>extremely serious consequences, and imagining that it is not will be
>a recipe for disaster.
>
>
>
>
All true. Conversely, there does need to be a path for us to get to
standard behaviour.
I think we're going to need to provide for switchable behaviour, as ugly
as that might be (looking briefly at scan.l it looks like the simplest
way would be a separate state for being inside standard strings, with
the choice of state being made conditionally in the {xqstart} rule).
We can't just break backwards compatibility overnight like this.
cheers
andrew