Bruce Momjian <[EMAIL PROTECTED]> writes: > Tom Lane wrote: >> Have either of you inquired into the encoding-safety of this code? >> It certainly looks like no consideration was given for that.
> I thought of that but I assume we were not accepting user-supplied > identifiers for this --- that this was only for application use. Am I > wrong? By definition, an escaping routine is not supposed to trust the data it is handed. We *will* be seeing a CVE report if this function has got any escaping vulnerability. If you insist on a practical example, I can certainly imagine someone thinking it'd be cool to allow searches on a user-selected column, and implementing that by passing the user-given column name straight into the query with only PQescapeIdentifier for safety. regards, tom lane ---------------------------(end of broadcast)--------------------------- TIP 9: In versions below 8.0, the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match