On 31/05/11 18:56, Daniele Varrazzo wrote:
> On Tue, May 31, 2011 at 12:47 PM, Marko Kreen <markokr@gmail.com> wrote:
[snip]
> I've already called for discussion a couple of months ago [1] about
> supporting the EQ protocol: it will eventually be done, but the result
> will hardly be a complete replacement for what psycopg currently does,
> so don't see it becoming the default escape mechanism. (Of course,
> while I'm positive about its implementation, nobody has stepped ahead
> for implementing it, so I'm afraid it will have to wait for a slice of
> my Copious Spare Time).
Lucky you! Mine ISN'T Copious. :D
> While it's good stuff the EQ exists for applications directly using
> the libpq, It wouldn't have saved many troubles for psycopg: IMO this
> one is really borderline to a pathological case and is not a security
> issue.
Also this one can generically be solved by putting parentheses around
every single argument. It is a +2 bytes per argument and the output of
cursor.query isn't pretty at all but if the need arise that will work
with minimal changes to the code (i.e., no new bugs).
Btw, I completely agree with Daniele's analisys of EQ and psycopg.
psycopg offers a lot of features and we shoudl find the right place for
EQ. Just dropping it in and have regressions on the existing code isn't
a good idea.
federico
--
Federico Di Gregorio federico.digregorio@dndg.it
Studio Associato Di Nunzio e Di Gregorio http://dndg.it
Lord, defend me from my friends; I can account for my enemies.
-- Charles D'Hericault