Re: [HACKERS] PQescapeIdentifier
Your patch has been added to the PostgreSQL unapplied patches list at: http://momjian.postgresql.org/cgi-bin/pgpatches It will be applied as soon as one of the PostgreSQL committers reviews and approves it. --- Christopher Kings-Lynne wrote: TODO item done for 8.2: * Add PQescapeIdentifier() to libpq Someone probably needs to check this :) Chris [ application/x-gzip is not supported, skipping... ] ---(end of broadcast)--- TIP 5: don't forget to increase your free space map settings -- Bruce Momjian http://candle.pha.pa.us EnterpriseDBhttp://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + ---(end of broadcast)--- TIP 3: Have you checked our extensive FAQ? http://www.postgresql.org/docs/faq
Re: [HACKERS] PQescapeIdentifier
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher Kings-Lynne Sent: 31 May 2006 04:16 To: Tom Lane Cc: Hackers Subject: Re: [HACKERS] PQescapeIdentifier Christopher Kings-Lynne [EMAIL PROTECTED] writes: Here's a question. I wish to add a function to libpq to escape PostgreSQL identifiers. Will this function be subject to the same security/encoding issues as PQescapeString? Is this of any general-purpose use? How many apps are really prepared to let an untrusted user dictate which columns are selected/compared? phpPgAdmin has use for it, I assume pgAdmin would as well. Yes, it would. Regards, Dave. ---(end of broadcast)--- TIP 1: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly
[HACKERS] PQescapeIdentifier
Here's a question. I wish to add a function to libpq to escape PostgreSQL identifiers. Will this function be subject to the same security/encoding issues as PQescapeString? Chris -- Christopher Kings-Lynne Technical Manager CalorieKing Tel: +618.9389.8777 Fax: +618.9389.8444 [EMAIL PROTECTED] www.calorieking.com ---(end of broadcast)--- TIP 9: In versions below 8.0, the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match
Re: [HACKERS] PQescapeIdentifier
Christopher Kings-Lynne [EMAIL PROTECTED] writes: Here's a question. I wish to add a function to libpq to escape PostgreSQL identifiers. Will this function be subject to the same security/encoding issues as PQescapeString? Is this of any general-purpose use? How many apps are really prepared to let an untrusted user dictate which columns are selected/compared? But to answer your question, yes, I can certainly imagine encoding-related risks... regards, tom lane ---(end of broadcast)--- TIP 1: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly
Re: [HACKERS] PQescapeIdentifier
Christopher Kings-Lynne [EMAIL PROTECTED] writes: Here's a question. I wish to add a function to libpq to escape PostgreSQL identifiers. Will this function be subject to the same security/encoding issues as PQescapeString? Is this of any general-purpose use? How many apps are really prepared to let an untrusted user dictate which columns are selected/compared? phpPgAdmin has use for it, I assume pgAdmin would as well. As does PHP's PostgreSQL interface, etc. The PHP sites I work on in my job have some functions to automatically build queries (eg. insert queries), which technically need to escape column names. It seems nice from my point of view as completeness, and will help in the case when we ever change identifier escaping, etc. It might also encourage app writers to escape fields properly...I've seen too many places where they escape strings, but not fields... However, I guess it's still a small minority of apps. But to answer your question, yes, I can certainly imagine encoding-related risks... It's probably out of my league to code safely then I guess, unless it's basically the same coding as for PQescapeStringInternal...? Chris ---(end of broadcast)--- TIP 2: Don't 'kill -9' the postmaster
Re: [HACKERS] PQescapeIdentifier
This has been saved for the 8.2 release: http://momjian.postgresql.org/cgi-bin/pgpatches_hold --- Christopher Kings-Lynne wrote: TODO item done for 8.2: * Add PQescapeIdentifier() to libpq Someone probably needs to check this :) Chris [ application/x-gzip is not supported, skipping... ] ---(end of broadcast)--- TIP 5: don't forget to increase your free space map settings -- Bruce Momjian| http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup.| Newtown Square, Pennsylvania 19073 ---(end of broadcast)--- TIP 5: don't forget to increase your free space map settings
[HACKERS] PQescapeIdentifier
TODO item done for 8.2: * Add PQescapeIdentifier() to libpq Someone probably needs to check this :) Chris libpq.txt.gz Description: GNU Zip compressed data ---(end of broadcast)--- TIP 5: don't forget to increase your free space map settings
Re: [HACKERS] PQescapeIdentifier
Christopher Kings-Lynne wrote: How about a PQescapeIdentifier function in libpq? :) Good idea, added to TODO. -- Bruce Momjian| http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup.| Newtown Square, Pennsylvania 19073 ---(end of broadcast)--- TIP 5: don't forget to increase your free space map settings
[HACKERS] PQescapeIdentifier
How about a PQescapeIdentifier function in libpq? :) Chris ---(end of broadcast)--- TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]
