On 4/11/09, Tom Lane <t...@sss.pgh.pa.us> wrote: > It gets worse though: I have seldom seen such a badly designed piece of > syntax as the Unicode string syntax --- see > > http://developer.postgresql.org/pgdocs/postgres/sql-syntax-lexical.html#SQL-SYNTAX-STRINGS-UESCAPE > > You scan the string, and then after that they tell you what the escape > character is!? Not to mention the obvious ambiguity with & as an > operator. > > If we let this go into 8.4, our previous rounds with security holes > caused by careless string parsing will look like a day at the beach. > No frontend that isn't fully cognizant of the Unicode string syntax is > going to parse such things correctly --- it's going to be trivial for > a bad guy to confuse a quoting mechanism as to what's an escape and what > isn't. > > I think we need to give very serious consideration to ripping out that > "feature".
Ugh, it's rather dubious indeed. Especially when we are already in the middle of seriously confusing conversion from stdstr=off -> on. Is it really OK to introduce even more complexity in the mix? Alternative proposal - maybe it would be saner to introduce \uXXXX escape to E'' strings as a non-standard way for quoting unicode. Later when the standard quoting is our only quoting method we can play with standard extensions? -- marko -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
