Re: Escaping strings for inclusion into SQL queries

It is. Application is responsible to call PGescapeString (included in the
patch in question) to escape command that may possibly have user-specified
data... This function isn't called automatically.

On Thu, 30 Aug 2001, Mitch Vincent wrote:

> Perhaps I'm not thinking correctly but isn't it the job of the application
> that's using the libpq library to escape special characters? I guess I don't
> see a down side though, if it's implemented correctly to check and see if
> characters are already escaped before escaping them (else major breakage of
> existing application would occur).. I didn't see the patch but I assume that
> someone took a look to make sure before applying it.
> 
> 
> -Mitch
> 
> ----- Original Message -----
> From: "Bruce Momjian" <pgman@candle.pha.pa.us>
> To: "Florian Weimer" <Florian.Weimer@rus.uni-stuttgart.de>
> Cc: <pgsql-hackers@postgresql.org>
> Sent: Thursday, August 30, 2001 6:43 PM
> Subject: Re: [HACKERS] Escaping strings for inclusion into SQL queries
> 
> 
> > > Florian Weimer <Florian.Weimer@rus.uni-stuttgart.de> writes:
> > >
> > > > We therefore suggest that a string escaping function is included in a
> > > > future version of PostgreSQL and libpq.  A sample implementation is
> > > > provided below, along with documentation.
> > >
> > > We have now released a description of the problems which occur when a
> > > string escaping function is not used:
> > >
> > > http://cert.uni-stuttgart.de/advisories/apache_auth.php
> > >
> > > What further steps are required to make the suggested patch part of
> > > the official libpq library?
> >
> > Will be applied soon.  I was waiting for comments before adding it to
> > the patch queue.
> 
> 
> 
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
> 
> http://www.postgresql.org/search.mpl
> 
>