Participants
Christopher Kings-Lynne
Christopher Kings-Lynne
Tom Lane
Tom Lane
Dave Page
Dave Page
Attachments

No attachments in this thread

Thread Outline
#1Christopher Kings-LynneChristopher Kings-Lynne
May 31, 2006
#2Tom LaneTom Laneto Christopher Kings-Lynne (#1)
May 31, 2006
#3Christopher Kings-LynneChristopher Kings-Lynneto Tom Lane (#2)
May 31, 2006
#4Dave PageDave Pageto Christopher Kings-Lynne (#3)
May 31, 2006

PQescapeIdentifier

Started by Christopher Kings-Lynneover 19 years ago4 messages
#1Christopher Kings-Lynne
Christopher Kings-Lynne
chris.kings-lynne@calorieking.com

Here's a question. I wish to add a function to libpq to escape
PostgreSQL identifiers. Will this function be subject to the same
security/encoding issues as PQescapeString?

Chris

--
Christopher Kings-Lynne

Technical Manager
CalorieKing
Tel: +618.9389.8777
Fax: +618.9389.8444
chris.kings-lynne@calorieking.com
www.calorieking.com

#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Christopher Kings-Lynne (#1)
Re: PQescapeIdentifier

Christopher Kings-Lynne <chris.kings-lynne@calorieking.com> writes:

Here's a question. I wish to add a function to libpq to escape
PostgreSQL identifiers. Will this function be subject to the same
security/encoding issues as PQescapeString?

Is this of any general-purpose use? How many apps are really prepared
to let an untrusted user dictate which columns are selected/compared?

But to answer your question, yes, I can certainly imagine
encoding-related risks...

regards, tom lane

#3Christopher Kings-Lynne
Christopher Kings-Lynne
chris.kings-lynne@calorieking.com
In reply to: Tom Lane (#2)
Re: PQescapeIdentifier

Christopher Kings-Lynne <chris.kings-lynne@calorieking.com> writes:

Here's a question. I wish to add a function to libpq to escape
PostgreSQL identifiers. Will this function be subject to the same
security/encoding issues as PQescapeString?

Is this of any general-purpose use? How many apps are really prepared
to let an untrusted user dictate which columns are selected/compared?

phpPgAdmin has use for it, I assume pgAdmin would as well. As does
PHP's PostgreSQL interface, etc. The PHP sites I work on in my job have
some functions to automatically build queries (eg. insert queries),
which technically need to escape column names.

It seems nice from my point of view as "completeness", and will help in
the case when we ever change identifier escaping, etc. It might also
encourage app writers to escape fields properly...I've seen too many
places where they escape strings, but not fields...

However, I guess it's still a small minority of apps.

But to answer your question, yes, I can certainly imagine
encoding-related risks...

It's probably out of my league to code safely then I guess, unless it's
basically the same coding as for PQescapeStringInternal...?

Chris

#4Dave Page
Dave Page
dpage@vale-housing.co.uk
In reply to: Christopher Kings-Lynne (#3)
Re: PQescapeIdentifier

-----Original Message-----
From: pgsql-hackers-owner@postgresql.org
[mailto:pgsql-hackers-owner@postgresql.org] On Behalf Of
Christopher Kings-Lynne
Sent: 31 May 2006 04:16
To: Tom Lane
Cc: Hackers
Subject: Re: [HACKERS] PQescapeIdentifier

Christopher Kings-Lynne <chris.kings-lynne@calorieking.com> writes:

Here's a question. I wish to add a function to libpq to escape
PostgreSQL identifiers. Will this function be subject to the same
security/encoding issues as PQescapeString?

Is this of any general-purpose use? How many apps are

really prepared

to let an untrusted user dictate which columns are

selected/compared?

phpPgAdmin has use for it, I assume pgAdmin would as well.

Yes, it would.

Regards, Dave.

Import Notes
Resolved by subject fallback
← Back to Topics