Re: [HACKERS] Re: Escaping strings for inclusion into SQL queries

2001-09-07 Thread Bruce Momjian 


Has this been resolved?


 Peter Eisentraut [EMAIL PROTECTED] writes:
  Tom Lane writes:
  I don't follow.  xddouble can only expand to two quote marks, so how
  does it matter which one we use as the result?
 
  addlit() expects the first argument to be null-terminated and implicitly
  uses that null byte at the end of the supplied argument to terminate its
  own buffer.
 
 Hmm, so I see:
 
   /* append data --- note we assume ytext is null-terminated */
   memcpy(literalbuf+literallen, ytext, yleng+1);
   literallen += yleng;
 
 Given that we are passing the length of the desired string, it seems
 bug-prone for addlit to *also* expect null termination.  I'd suggest
 
   memcpy(literalbuf+literallen, ytext, yleng);
   literallen += yleng;
   literalbuf[literallen] = '\0';
 
 instead.
 
   regards, tom lane
 
 ---(end of broadcast)---
 TIP 6: Have you searched our list archives?
 
 http://www.postgresql.org/search.mpl
 

-- 
  Bruce Momjian|  http://candle.pha.pa.us
  [EMAIL PROTECTED]   |  (610) 853-3000
  +  If your life is a hard drive, |  830 Blythe Avenue
  +  Christ can be your backup.|  Drexel Hill, Pennsylvania 19026

---(end of broadcast)---
TIP 5: Have you checked our extensive FAQ?

http://www.postgresql.org/users-lounge/docs/faq.html

Re: [HACKERS] Re: Escaping strings for inclusion into SQL queries

2001-09-07 Thread Tom Lane 

Bruce Momjian [EMAIL PROTECTED] writes:
 Has this been resolved?

Peter applied his patch, but I am planning to also change addlit to not
require null termination, because I believe we'll get bit again if we
don't.

regards, tom lane

---(end of broadcast)---
TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]

Re: [HACKERS] Re: Escaping strings for inclusion into SQL queries

2001-09-03 Thread Florian Weimer 

Peter Eisentraut [EMAIL PROTECTED] writes:

 Florian Weimer writes:
 
  The first version escaped ' with ''.  I changed it when I noticed that
  if \' is used instead, the same function can be used for strings
  ('...') and identifiers (...).
 
 Last time I checked (15 seconds ago), you could not escape  with \ in
 PostgreSQL.  The identifer parsing rules are a bit different from strings.

Yes, we misread the lexer description.  I'm sorry about that.

In addition, there seems to be a bug in the treatment of  escapes in
identifiers. 'SELECT ;' yields the error message 'Attribute ''
not found ' (not ''!) or even 'Attribute '\' not found', depending
on the queries executed before.

For identifiers, comparing the characters to a white list is probably
a more reasonable approach.

-- 
Florian Weimer[EMAIL PROTECTED]
University of Stuttgart   http://cert.uni-stuttgart.de/
RUS-CERT  +49-711-685-5973/fax +49-711-685-5898

---(end of broadcast)---
TIP 5: Have you checked our extensive FAQ?

http://www.postgresql.org/users-lounge/docs/faq.html

Re: [HACKERS] Re: Escaping strings for inclusion into SQL queries

2001-09-03 Thread Bruce Momjian 

 Bruce Momjian [EMAIL PROTECTED] writes:
 
  OK, can you supply an updated patch?
 
 Yes, I'm going to update it.  Shall I post it here?

Sure, or patches list.

 Could anybody have a look at the parser issue?

I am unsure how it is supposed to behave.  Comments?  Does the standard
say anything?

-- 
  Bruce Momjian|  http://candle.pha.pa.us
  [EMAIL PROTECTED]   |  (610) 853-3000
  +  If your life is a hard drive, |  830 Blythe Avenue
  +  Christ can be your backup.|  Drexel Hill, Pennsylvania 19026

---(end of broadcast)---
TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]

Re: [HACKERS] Re: Escaping strings for inclusion into SQL queries

2001-09-03 Thread Bruce Momjian 


OK, can you supply an updated patch?


 Peter Eisentraut [EMAIL PROTECTED] writes:
 
  Florian Weimer writes:
  
   The first version escaped ' with ''.  I changed it when I noticed that
   if \' is used instead, the same function can be used for strings
   ('...') and identifiers (...).
  
  Last time I checked (15 seconds ago), you could not escape  with \ in
  PostgreSQL.  The identifer parsing rules are a bit different from strings.
 
 Yes, we misread the lexer description.  I'm sorry about that.
 
 In addition, there seems to be a bug in the treatment of  escapes in
 identifiers. 'SELECT ;' yields the error message 'Attribute ''
 not found ' (not ''!) or even 'Attribute '\' not found', depending
 on the queries executed before.
 
 For identifiers, comparing the characters to a white list is probably
 a more reasonable approach.
 
 -- 
 Florian Weimer  [EMAIL PROTECTED]
 University of Stuttgart   http://cert.uni-stuttgart.de/
 RUS-CERT  +49-711-685-5973/fax +49-711-685-5898
 
 ---(end of broadcast)---
 TIP 5: Have you checked our extensive FAQ?
 
 http://www.postgresql.org/users-lounge/docs/faq.html
 

-- 
  Bruce Momjian|  http://candle.pha.pa.us
  [EMAIL PROTECTED]   |  (610) 853-3000
  +  If your life is a hard drive, |  830 Blythe Avenue
  +  Christ can be your backup.|  Drexel Hill, Pennsylvania 19026

---(end of broadcast)---
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to [EMAIL PROTECTED] so that your
message can get through to the mailing list cleanly

Re: [HACKERS] Re: Escaping strings for inclusion into SQL queries

2001-09-03 Thread Peter Eisentraut 

Florian Weimer writes:

 In addition, there seems to be a bug in the treatment of  escapes in
 identifiers. 'SELECT ;' yields the error message 'Attribute ''
 not found ' (not ''!) or even 'Attribute '\' not found', depending
 on the queries executed before.

A bug indeed.

RCS file: /home/projects/pgsql/cvsroot/pgsql/src/backend/parser/scan.l,v
retrieving revision 1.88
diff -u -r1.88 scan.l
--- scan.l  2001/03/22 17:41:47 1.88
+++ scan.l  2001/09/03 22:11:46
@@ -375,7 +375,7 @@
return IDENT;
}
 xd{xddouble} {
-   addlit(yytext, yyleng-1);
+   addlit(yytext+1, yyleng-1);
}
 xd{xdinside} {
addlit(yytext, yyleng);
===end

-- 
Peter Eisentraut   [EMAIL PROTECTED]   http://funkturm.homeip.net/~peter


---(end of broadcast)---
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to [EMAIL PROTECTED] so that your
message can get through to the mailing list cleanly

Re: [HACKERS] Re: Escaping strings for inclusion into SQL queries

2001-09-03 Thread Tom Lane 

Peter Eisentraut [EMAIL PROTECTED] writes:
 A bug indeed.

  xd{xddouble} {
 -   addlit(yytext, yyleng-1);
 +   addlit(yytext+1, yyleng-1);
 }

I don't follow.  xddouble can only expand to two quote marks, so how
does it matter which one we use as the result?  This seems unlikely
to change the behavior.  If it does, I think the real bug is elsewhere.

I do see a bug here --- I get

regression=# select ;
NOTICE:  identifier  [ lots o' rubouts ] @;Ç will 
be truncated to 
ERROR:  Attribute '' not found
regression=#

regards, tom lane

---(end of broadcast)---
TIP 5: Have you checked our extensive FAQ?

http://www.postgresql.org/users-lounge/docs/faq.html

Re: [HACKERS] Re: Escaping strings for inclusion into SQL queries

2001-09-03 Thread Peter Eisentraut 

Tom Lane writes:

 Peter Eisentraut [EMAIL PROTECTED] writes:
  A bug indeed.

   xd{xddouble} {
  -   addlit(yytext, yyleng-1);
  +   addlit(yytext+1, yyleng-1);
  }

 I don't follow.  xddouble can only expand to two quote marks, so how
 does it matter which one we use as the result?

addlit() expects the first argument to be null-terminated and implicitly
uses that null byte at the end of the supplied argument to terminate its
own buffer.  It expects to copy doublequotenull (new version), whereas
it got (old version) doublequotedoublequote and left the buffer
unterminated, which leads to random behavior, as you saw.

Since there are only a few calls to addlit(), I didn't feel like
re-engineering the whole interface to be prettier.  It does look like a
performance-beneficial implementation.

A concern related to the matter is that if you actually put such an
identifier into your database you basically make it undumpable (well,
unrestorable) because no place is prepared to handle such a thing.

-- 
Peter Eisentraut   [EMAIL PROTECTED]   http://funkturm.homeip.net/~peter


---(end of broadcast)---
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to [EMAIL PROTECTED] so that your
message can get through to the mailing list cleanly

Re: [HACKERS] Re: Escaping strings for inclusion into SQL queries

2001-09-03 Thread Tom Lane 

Peter Eisentraut [EMAIL PROTECTED] writes:
 Tom Lane writes:
 I don't follow.  xddouble can only expand to two quote marks, so how
 does it matter which one we use as the result?

 addlit() expects the first argument to be null-terminated and implicitly
 uses that null byte at the end of the supplied argument to terminate its
 own buffer.

Hmm, so I see:

/* append data --- note we assume ytext is null-terminated */
memcpy(literalbuf+literallen, ytext, yleng+1);
literallen += yleng;

Given that we are passing the length of the desired string, it seems
bug-prone for addlit to *also* expect null termination.  I'd suggest

memcpy(literalbuf+literallen, ytext, yleng);
literallen += yleng;
literalbuf[literallen] = '\0';

instead.

regards, tom lane

---(end of broadcast)---
TIP 6: Have you searched our list archives?

http://www.postgresql.org/search.mpl

Re: [HACKERS] Re: Escaping strings for inclusion into SQL queries

2001-09-01 Thread Peter Eisentraut 

Florian Weimer writes:

 The first version escaped ' with ''.  I changed it when I noticed that
 if \' is used instead, the same function can be used for strings
 ('...') and identifiers (...).

Last time I checked (15 seconds ago), you could not escape  with \ in
PostgreSQL.  The identifer parsing rules are a bit different from strings.

-- 
Peter Eisentraut   [EMAIL PROTECTED]   http://funkturm.homeip.net/~peter


---(end of broadcast)---
TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]

[HACKERS] Re: Escaping strings for inclusion into SQL queries

2001-08-23 Thread Christopher Masto 

On Wed, Aug 22, 2001 at 05:16:44PM +, Florian Weimer wrote:
 We therefore suggest that a string escaping function is included in a
 future version of PostgreSQL and libpq.  A sample implementation is
 provided below, along with documentation.

I use Perl, which (through DBD::Pg) has a quote function available,
but I think this is a very good idea to include in the library.

I only have one issue - the SQL standard seems to support the use
of '' to escape a single quote, but not \'.  Though PostgreSQL has
an extended notion of character string literals, I think that the
usual policy of using the standard interface when possible should
apply.
-- 
Christopher Masto Senior Network Monkey  NetMonger Communications
[EMAIL PROTECTED][EMAIL PROTECTED]http://www.netmonger.net

Free yourself, free your machine, free the daemon -- http://www.freebsd.org/

---(end of broadcast)---
TIP 4: Don't 'kill -9' the postmaster

Re: [HACKERS] Re: Escaping strings for inclusion into SQL queries

2001-08-23 Thread Florian Weimer 

Christopher Masto [EMAIL PROTECTED] writes:

 I only have one issue - the SQL standard seems to support the use
 of '' to escape a single quote, but not \'.  Though PostgreSQL has
 an extended notion of character string literals, I think that the
 usual policy of using the standard interface when possible should
 apply.

The first version escaped ' with ''.  I changed it when I noticed that
if \' is used instead, the same function can be used for strings
('...') and identifiers (...).

In addition, you have to replace \ with \\, so you are forced
to leave the grounds of the standard anyway.

-- 
Florian Weimer[EMAIL PROTECTED]
University of Stuttgart   http://cert.uni-stuttgart.de/
RUS-CERT  +49-711-685-5973/fax +49-711-685-5898

---(end of broadcast)---
TIP 5: Have you checked our extensive FAQ?

http://www.postgresql.org/users-lounge/docs/faq.html