Mark Mielke <m...@mark.mielke.cc> writes: > On 02/03/2010 01:20 PM, Robert Haas wrote: >> I am not sure I really understand why anyone is a rush to make this >> change.
> For myself, it isn't so much a rush as a sense that the code out there > that will break, will never change unless forced, and any time seems > better than never. I have not heard anyone arguing for the position that we should never do it. The argument is about whether it's a good idea to do it *right now*, without any advance notice or planning. > Correct me if I am wrong - but I think this issue represents an > exploitable SQL injection security hole. Indeed it is, which is one of the reasons to be cautious with changing it. We've been telling people to move away from \' for a long time, but actually flipping the switch that will make their apps insecure is not something to do on the spur of the moment. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers