Re: Escaping strings for inclusion into SQL queries
| От | Bruce Momjian |
|---|---|
| Тема | Re: Escaping strings for inclusion into SQL queries |
| Дата | |
| Msg-id | 200109120420.f8C4KVf28273@candle.pha.pa.us обсуждение исходный текст |
| Ответ на | Re: Escaping strings for inclusion into SQL queries (Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE>) |
| Список | pgsql-hackers |
I think we need this patch. Bytea encoding will be changed to accept \000 rather than \0 for the same reason. I also agree that the libpq enescaping of a C string doesn't need to deal with NULL like bytea does. Your patch has been added to the PostgreSQL unapplied patches list at: http://candle.pha.pa.us/cgi-bin/pgpatches I will try to apply it within the next 48 hours. > "Joe Conway" <joseph.conway@home.com> writes: > > > I found a problem with PQescapeString (I think). Since it escapes > > null bytes to be literally '\0', the following can happen: > > 1. User inputs string value as "<null byte>##" where ## are digits in the > > range of 0 to 7. > > 2. PQescapeString converts this to "\0##" > > 3. Escaped string is used in a context that causes "\0##" to be evaluated as > > an octal escape sequence. > > I agree that this is a problem, though it is not possible to do > anything harmful with it. In addition, it only occurs if there are > any NUL characters in its input, which is very unlikely if you are > using C strings. > > The patch below addresses the issue by removing escaping of \0 > characters entirely. > > > If the goal is to "safely" encode null bytes, and preserve the rest of the > > string as it was entered, I think the null bytes should be escaped as \\000 > > (note that if you simply use \000 the same string truncation problem > > occurs). > > We can't do that, this would require 4n + 1 bytes of storage for the > result, breaking the interface. > > -- > Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE > University of Stuttgart http://cert.uni-stuttgart.de/ > RUS-CERT +49-711-685-5973/fax +49-711-685-5898 > [ Attachment, skipping... ] > > ---------------------------(end of broadcast)--------------------------- > TIP 3: if posting/reading through Usenet, please send an appropriate > subscribe-nomail command to majordomo@postgresql.org so that your > message can get through to the mailing list cleanly -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026
В списке pgsql-hackers по дате отправления: