Martin Pitt <martin@piware.de> writes:
> I finally found some time to debug this, and I think I found a better
> patch than the one you proposed. Mine is still hackish and is still a
> workaround around a proper quoting solution, but at least it repairs
> the parsing without introducing the \' quoting again.
Yeah, this is probably all right. My concerns about encoding
vulnerabilities were likely overblown --- it would only be an issue if
the mirror script were running with a non-ASCII-safe client encoding,
which seems pretty unlikely. So this will do as a band aid.
However, in looking through DBMirror.pl to try to understand what was
going on, I immediately found several other bugs --- fails on field
names containing double quotes, mirrorDelete fails to re-quote values,
mirrorUpdate tries to use "field = null" where "field is null" would be
correct, for example. I'm wondering whether this thing is really still
used in practice, and whether we shouldn't be deprecating it in favor of
Slony. As far as I can tell from the CVS logs, dbmirror per se hasn't
been touched since 2004 --- all subsequent edits have been part of
tree-wide changes.
regards, tom lane