Обсуждение: C API, PQconnectdb and options Q.
I'm using a Redhat version of PostgreSQL 7.2.3 with the C API. Mostly things work right, but I need more debug output, as I have a query that works fine from psql, but fails with the C API (perhaps this is because I use PQescapeString). The only way to know there is an error is that the insert never happens, and that the system log reports a parse error at or near the first field of an insert. What I am wonder is (a) how to use the tty= in the string passed to PQconnectdb, and (b) a reference URL for what options are available in the options= part of the string parameters accepted by PQconnectdb. So far all I end up with if I try to name a file for tty= or a tty from /dev/ for tty= is a core dump. D. Stimits
D. Stimits wrote:
> I'm using a Redhat version of PostgreSQL 7.2.3 with the C API. Mostly
> things work right, but I need more debug output, as I have a query that
> works fine from psql, but fails with the C API (perhaps this is because
> I use PQescapeString). The only way to know there is an error is that
> the insert never happens, and that the system log reports a parse error
> at or near the first field of an insert. What I am wonder is (a) how to
> use the tty= in the string passed to PQconnectdb, and (b) a reference
> URL for what options are available in the options= part of the string
> parameters accepted by PQconnectdb. So far all I end up with if I try to
> name a file for tty= or a tty from /dev/ for tty= is a core dump.
>
> D. Stimits
>
I found a partial answer to this...it seems to be a bug in
PQescapeString(). Turns out that if I do something with an insert using
quotes for a varchar field, e.g.:
INSERT INTO foo VALUES ('bar')
...then it escapes this to:
INSERT INTO foo VALUES (''bar'')
It doesn't like the pair of single quotes.
But I also can't do this, due to requirements of SQL syntax:
INSERT INTO foo VALUES (bar)
How can I use PQescapeString() with input I would like to make somewhat
safer via escaping? How would I use PQescapeString() without writing my
own replacement that works with inserts?
D. Stimits
On Wednesday 10 September 2003 18:47, D. Stimits wrote:
>
> I found a partial answer to this...it seems to be a bug in
> PQescapeString(). Turns out that if I do something with an insert using
> quotes for a varchar field, e.g.:
> INSERT INTO foo VALUES ('bar')
>
> ...then it escapes this to:
> INSERT INTO foo VALUES (''bar'')
>
> It doesn't like the pair of single quotes.
>
> But I also can't do this, due to requirements of SQL syntax:
> INSERT INTO foo VALUES (bar)
>
> How can I use PQescapeString() with input I would like to make somewhat
> safer via escaping? How would I use PQescapeString() without writing my
> own replacement that works with inserts?
I think the idea is to escape just the parameters to the SQL statement. So
(not in C syntax):
query = "INSERT INTO foo values ('" + PQescapeString("O'Neill") + "')"
This will double the single-quote in O'Neill.
I tend to use higher-level languages where this sort of thing is handled by
functions in e.g. Perl's DBI layer. If there isn't a suitable interface layer
available, you could write your own that does something like:
query = build_sql("INSERT INTO foo values (?,'?')", 1, "fred");
I can't believe there isn't something like this available though.
--
Richard Huxton
Archonet Ltd
On Wed, 10 Sep 2003, D. Stimits wrote:
> D. Stimits wrote:
>
> > I'm using a Redhat version of PostgreSQL 7.2.3 with the C API. Mostly
> > things work right, but I need more debug output, as I have a query that
> > works fine from psql, but fails with the C API (perhaps this is because
> > I use PQescapeString). The only way to know there is an error is that
> > the insert never happens, and that the system log reports a parse error
> > at or near the first field of an insert. What I am wonder is (a) how to
> > use the tty= in the string passed to PQconnectdb, and (b) a reference
> > URL for what options are available in the options= part of the string
> > parameters accepted by PQconnectdb. So far all I end up with if I try to
> > name a file for tty= or a tty from /dev/ for tty= is a core dump.
> >
> > D. Stimits
> >
> I found a partial answer to this...it seems to be a bug in
> PQescapeString(). Turns out that if I do something with an insert using
> quotes for a varchar field, e.g.:
> INSERT INTO foo VALUES ('bar')
>
> ...then it escapes this to:
> INSERT INTO foo VALUES (''bar'')
I don't think you're using it correctly...
"PQescapeString escapes a string for use within an SQL commmand."
...
"The single quotes that must surround PostgreSQL string literals are not
included in the result string; they should be provided in the SQL
command that the result is inserted into."
The intent is not for PQescapeString to take a query string, but a
string for use within a query string (for example, the literal bar in the
above).
"D. Stimits" <stimits@comcast.net> writes:
> What I am wonder is (a) how to
> use the tty= in the string passed to PQconnectdb, and (b) a reference
> URL for what options are available in the options= part of the string
> parameters accepted by PQconnectdb.
tty= is a dead option; it was disabled years ago on security grounds.
I'd suggest enabling query logging so you can see in the postmaster log
exactly what query string got sent by your application. The options=
string is included in the command line options for the "postgres"
backend process --- the useful part of this is
-c parametervariable=value
which is pretty nearly equivalent to doing a SET parametervariable=value
after connecting.
regards, tom lane