* Tatsuo Ishii: > Users can input value for "var" from a web form. The attacker inputs > following string: > > (0x95+0x27);DELETE FROM members;-- > > where 0x95+0x27 is actually a SJIS mutibyte KANJI. Programmer applies > PQescapeString() to it and gets: > > 0x95+0x27+0x27;DELETE FROM members;--
Uh-oh, this is my fault. PQescapeString should escape all characters greater than 126. Unfortunately, there is nothing we can do about this in the current function because tha twould need four times the lenggth of the input string (plus one). Drat. (I don't think you should have to consider the encoding in the client; strange things may happen if there is an interpretation conflict between the client and the backend.) ---------------------------(end of broadcast)--------------------------- TIP 3: Have you checked our extensive FAQ? http://www.postgresql.org/docs/faq