Re: PG 9.0 and standard_conforming_strings

On 02/03/2010 01:20 PM, Robert Haas wrote:
> I am not sure I really understand why anyone is a rush to make this
> change.  What harm is being done by the status quo?  What benefit do
> we get out of changing the default?  The major argument that has been
> offered so far is that "if we don't change it now, we never will", but
> I don't believe that the tenor of this discussion supports the
> contention that Tom or anyone else never wants to make this change.
>    

For myself, it isn't so much a rush as a sense that the code out there 
that will break, will never change unless forced, and any time seems 
better than never.

Correct me if I am wrong - but I think this issue represents an 
exploitable SQL injection security hole. I switched because I convinced 
myself that the ambiguity of \' represented actual danger. I'm concerned 
that if the web front end doing parameter checking and passing in code 
using either '' quoting or \' quoting can be exploited if the server 
happens to be configured the opposite way. To me, this ambiguity can 
only be addressed by everybody agreeing on the right way to do it, and 
'' quoting seems like the right way to do it to me.

Cheers,
mark

-- 
Mark Mielke<mark@mielke.cc>