Обсуждение: PQescapeIdentifier
Here's a question. I wish to add a function to libpq to escape PostgreSQL identifiers. Will this function be subject to the same security/encoding issues as PQescapeString? Chris -- Christopher Kings-Lynne Technical Manager CalorieKing Tel: +618.9389.8777 Fax: +618.9389.8444 chris.kings-lynne@calorieking.com www.calorieking.com
Christopher Kings-Lynne <chris.kings-lynne@calorieking.com> writes:
> Here's a question. I wish to add a function to libpq to escape
> PostgreSQL identifiers. Will this function be subject to the same
> security/encoding issues as PQescapeString?
Is this of any general-purpose use? How many apps are really prepared
to let an untrusted user dictate which columns are selected/compared?
But to answer your question, yes, I can certainly imagine
encoding-related risks...
regards, tom lane
> Christopher Kings-Lynne <chris.kings-lynne@calorieking.com> writes: >> Here's a question. I wish to add a function to libpq to escape >> PostgreSQL identifiers. Will this function be subject to the same >> security/encoding issues as PQescapeString? > > Is this of any general-purpose use? How many apps are really prepared > to let an untrusted user dictate which columns are selected/compared? phpPgAdmin has use for it, I assume pgAdmin would as well. As does PHP's PostgreSQL interface, etc. The PHP sites I work on in my job have some functions to automatically build queries (eg. insert queries), which technically need to escape column names. It seems nice from my point of view as "completeness", and will help in the case when we ever change identifier escaping, etc. It might also encourage app writers to escape fields properly...I've seen too many places where they escape strings, but not fields... However, I guess it's still a small minority of apps. > But to answer your question, yes, I can certainly imagine > encoding-related risks... It's probably out of my league to code safely then I guess, unless it's basically the same coding as for PQescapeStringInternal...? Chris
> -----Original Message----- > From: pgsql-hackers-owner@postgresql.org > [mailto:pgsql-hackers-owner@postgresql.org] On Behalf Of > Christopher Kings-Lynne > Sent: 31 May 2006 04:16 > To: Tom Lane > Cc: Hackers > Subject: Re: [HACKERS] PQescapeIdentifier > > > Christopher Kings-Lynne <chris.kings-lynne@calorieking.com> writes: > >> Here's a question. I wish to add a function to libpq to escape > >> PostgreSQL identifiers. Will this function be subject to the same > >> security/encoding issues as PQescapeString? > > > > Is this of any general-purpose use? How many apps are > really prepared > > to let an untrusted user dictate which columns are > selected/compared? > > phpPgAdmin has use for it, I assume pgAdmin would as well. Yes, it would. Regards, Dave.