Re: Escape handling in strings
| От | Tom Lane |
|---|---|
| Тема | Re: Escape handling in strings |
| Дата | |
| Msg-id | 14648.1118926504@sss.pgh.pa.us обсуждение исходный текст |
| Ответ на | Re: Escape handling in strings (Rod Taylor <pg@rbt.ca>) |
| Ответы |
Re: Escape handling in strings
|
| Список | pgsql-patches |
Rod Taylor <pg@rbt.ca> writes:
> It probably won't be any worse than when '' was rejected for an integer
> 0.
That analogy is *SO* far off the mark that I have to object.
Fooling with quoting rules will not simply cause clean failures, which
is what you got from ''-no-longer-accepted-by-atoi. What it will cause
is formerly valid input being silently interpreted as something else.
That's bad enough, but it gets worse: formerly secure client code may
now be vulnerable to SQL-injection attacks, because it doesn't know how
to quote text properly.
What we are talking about here is an extremely significant change with
extremely serious consequences, and imagining that it is not will be
a recipe for disaster.
I also think that pgsql-patches is not the place to be discussing such
things... it needs a whole lot more visibility.
regards, tom lane
В списке pgsql-patches по дате отправления: