Re: Unicode string literals versus the world
| От | Andrew Dunstan |
|---|---|
| Тема | Re: Unicode string literals versus the world |
| Дата | |
| Msg-id | 49E0CE25.4070703@dunslane.net обсуждение исходный текст |
| Ответ на | Unicode string literals versus the world (Tom Lane <tgl@sss.pgh.pa.us>) |
| Список | pgsql-hackers |
Tom Lane wrote: > > It gets worse though: I have seldom seen such a badly designed piece of > syntax as the Unicode string syntax --- see > http://developer.postgresql.org/pgdocs/postgres/sql-syntax-lexical.html#SQL-SYNTAX-STRINGS-UESCAPE > > You scan the string, and then after that they tell you what the escape > character is!? Not to mention the obvious ambiguity with & as an > operator. > > If we let this go into 8.4, our previous rounds with security holes > caused by careless string parsing will look like a day at the beach. > No frontend that isn't fully cognizant of the Unicode string syntax is > going to parse such things correctly --- it's going to be trivial for > a bad guy to confuse a quoting mechanism as to what's an escape and what > isn't. > > I think we need to give very serious consideration to ripping out that > "feature". > > > +1 I don't recall a great deal of discussion about it, and it certainly looks pretty horrible now you point it out. cheers andrew
В списке pgsql-hackers по дате отправления: