Re: Escaping strings for inclusion into SQL queries
От | Peter Eisentraut |
---|---|
Тема | Re: Escaping strings for inclusion into SQL queries |
Дата | |
Msg-id | Pine.LNX.4.30.0109010953050.722-100000@peter.localdomain обсуждение исходный текст |
Ответ на | Re: Escaping strings for inclusion into SQL queries (Bruce Momjian <pgman@candle.pha.pa.us>) |
Список | pgsql-hackers |
For consistency with the rest of the libpq API, the function should be called PQescapeString, not PGescapeString. Bruce Momjian writes: > > Your patch has been added to the PostgreSQL unapplied patches list at: > > http://candle.pha.pa.us/cgi-bin/pgpatches > > I will try to apply it within the next 48 hours. > > > It has come to our attention that many applications which use libpq > > are vulnerable to code insertion attacks in strings and identifiers > > passed to these applications. We have collected some evidence which > > suggests that this is related to the fact that libpq does not provide > > a function to escape strings and identifiers properly. (Both the > > Oracle and MySQL client libraries include such a function, and the > > vast majority of applications we examined are not vulnerable to code > > insertion attacks because they use this function.) > > > > We therefore suggest that a string escaping function is included in a > > future version of PostgreSQL and libpq. A sample implementation is > > provided below, along with documentation. > > > > -- > > Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE > > University of Stuttgart http://cert.uni-stuttgart.de/ > > RUS-CERT +49-711-685-5973/fax +49-711-685-5898 > > [ Attachment, skipping... ] > > [ Attachment, skipping... ] > > [ Attachment, skipping... ] > > > > > ---------------------------(end of broadcast)--------------------------- > > TIP 2: you can get off all lists at once with the unregister command > > (send "unregister YourEmailAddressHere" to majordomo@postgresql.org) > > -- Peter Eisentraut peter_e@gmx.net http://funkturm.homeip.net/~peter
В списке pgsql-hackers по дате отправления: