Index: libpq.sgml =================================================================== RCS file: /home/projects/pgsql/cvsroot/pgsql/doc/src/sgml/libpq.sgml,v retrieving revision 1.66 diff -u -r1.66 libpq.sgml --- libpq.sgml 2001/08/10 22:50:09 1.66 +++ libpq.sgml 2001/08/22 15:58:02 @@ -827,6 +827,42 @@ + + Escaping strings for inclusion in SQL queries + +PGescapeString + Escapes a string for use within an SQL query. + +size_t PGescapeString (char *to, const char *from, size_t length); + +If you want to include strings or identifiers which have been received +from a source which is not trustworthy (for example, because they were +transmitted across a network), you cannot directly include them in SQL +queries for security reasons. Instead, you have to quote special +characters which are otherwise interpreted by the SQL parser. + + +PGescapeString performs this operation. The +from points to the first character of the string which +is to be escaped, and the length parameter counts the +number of characters in this string (a terminating NUL character is +neither necessary nor counted). to shall point to a +buffer which is able to hold at least one more character than twice +the value of length, otherwise the behavior is +undefined. A call to PGescapeString writes an escaped +version of the from string to the to +buffer, replacing special characters so that they cannot cause any +harm, and adding a terminating NUL character. The single or double +quote characters which are required for strings and identifiers, +respectively, are not added to the result string. + + +PGescapeString returns the number of characters written +to to, not including the terminating NUL character. +Behavior is undefined when the to and from +strings overlap. + + Retrieving SELECT Result Information