Participants
Matthew Schumacher
Matthew Schumacher
Tom Lane
Tom Lane
Attachments
Show all attachments
Thread Outline
#1Matthew SchumacherMatthew Schumacher
Jun 07, 2006
#2Tom LaneTom Laneto Matthew Schumacher (#1)
Jun 07, 2006
#3Matthew SchumacherMatthew Schumacherto Tom Lane (#2)
Jun 07, 2006
#4Tom LaneTom Laneto Matthew Schumacher (#3)
Jun 07, 2006

Backslash problems with 8.1.4

Started by Matthew Schumacheralmost 20 years ago4 messagesgeneral
Jump to latest
#1Matthew Schumacher
Matthew Schumacher
matt.s@aptalaska.net

Hello list,

I upgraded to postgres-8.1.4 and saw all of the backslash escape changes
and understand why, but I can't figure out how to put a literal \' in
the database. If \ is no longer escaping shouldn't I be able to use \�
and have postgres ignore the \ and use standard sql syntax to escape the
single '?

It seems that no matter what I try postgres returns an error message
because it thinks I'm trying to escape the '.

The data is coming from PHP, and yes, I know that embedded SQL is bad,
but I want to disable \ escaping now since I don't use it and it will be
a little while before I can convert to PDO.

Is there any way to disable \ escaping and pass a literal \' without
postgres kicking back an error on the query?

schu

#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Matthew Schumacher (#1)
Re: Backslash problems with 8.1.4

Matthew Schumacher <matt.s@aptalaska.net> writes:

I upgraded to postgres-8.1.4 and saw all of the backslash escape changes
and understand why, but I can't figure out how to put a literal \' in
the database.

You use the SQL-standard way, which is to repeat the quote mark:
'Meet at Joe''s house'

The data is coming from PHP,

I have met your problem, and its name is addslashes(). Don't use it.
addslashes is exactly the security hole we are trying to plug.

regards, tom lane

#3Matthew Schumacher
Matthew Schumacher
matt.s@aptalaska.net
In reply to: Tom Lane (#2)
Re: Backslash problems with 8.1.4

Tom Lane wrote:

Matthew Schumacher <matt.s@aptalaska.net> writes:

I upgraded to postgres-8.1.4 and saw all of the backslash escape changes
and understand why, but I can't figure out how to put a literal \' in
the database.

You use the SQL-standard way, which is to repeat the quote mark:
'Meet at Joe''s house'

The data is coming from PHP,

I have met your problem, and its name is addslashes(). Don't use it.
addslashes is exactly the security hole we are trying to plug.

regards, tom lane

Thanks for the reply Tom, however I don't think you understand my issue.
I'm not using addslashes and I am using the SQL standard way to
escape a single quote. The problem is that I want to put a literal \'
inside the database. So if \ is no longer an escape character, and ''
is the SQL way to pass a literal ' then you would think that \'' would
put a literal \' into the database, however postgres rejects this and
spits out an error.

So the question isn't how to I escape ', the question is how do I insert
a literal \' into a varchar?

Thanks,
schu

#4Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Matthew Schumacher (#3)
Re: Backslash problems with 8.1.4

Matthew Schumacher <matt.s@aptalaska.net> writes:

Thanks for the reply Tom, however I don't think you understand my issue.
I'm not using addslashes and I am using the SQL standard way to
escape a single quote. The problem is that I want to put a literal \'
inside the database. So if \ is no longer an escape character, and ''
is the SQL way to pass a literal ' then you would think that \'' would
put a literal \' into the database, however postgres rejects this and
spits out an error.

Oh, you're mistaken about \ ... it's still an escape character, as of 8.1.
(Beginning in 8.2 there will be a way to make it not an escape.) So
what you need for that is \\'' inside your literal string.

regards, tom lane

← Back to Topics