Am 20.12.2014 um 23:10 schrieb Tim Bunce <tim.bu...@pobox.com>: > On Sat, Dec 20, 2014 at 05:35:55PM +0100, Alexander Foken wrote: >> On 20.12.2014 15:38, Tim Bunce wrote: >>> Can you, or anyone else, think of any situation where a backslash before >>> a ? or :foo (or even $1) style placeholder might be valid SQL? >> >> I found two situations for PostgreSQL: >> >> (1) PostgreSQL allows almost any character as escape character in >> Unicode string constants >> (<http://www.postgresql.org/docs/current/static/sql-syntax-lexical.html#SQL-SYNTAX-STRINGS-UESCAPE>). >> With that, I can construct an expression containing \:foo that is >> valid SQL as understood by PostgreSQL: >> >> U&'foo\:AAAAbar' UESCAPE ':' >> >> This expression represents the string foo\Xbar, where X is the >> Unicode character U+AAAA ("TAI VIET LETTER LOW VO"). > > I don't think that'll be a problem because the driver code that parses > the statement looking for placeholders will skip over quoted strings.
Sure, strings can be manipulated on language level, no need for driver to interfere. >> (2) PostgreSQL also allows "Dollar quoting" >> (<http://www.postgresql.org/docs/current/static/sql-syntax-lexical.html#SQL-SYNTAX-DOLLAR-QUOTING>). >> With that, I can construct an expression containing \$1 that is >> valid SQL as understood by PostgreSQL: >> >> $1$foo\$1$ >> >> This expression represents the string foo\, quoted by dollar signs >> using the character 1 as tag. > > I'm not sure if the driver code that parses statements in DBD::Pg > handles dollar quoting. I presume so. In which case this shouldn't be a > problem either for the same reason as above. > >>> So far no one has come up with one, so I'm getting more comfortable >>> with the idea that a backslash before a placeholder is a safe change. >>> I.e., there's a near-zero risk that upgrading a DBI driver to support >>> backslashes would cause breakage in existing code. >> >> Do you plan to escape the escape character, i.e. use a double >> backslash at DBI level to represent a single backslash at database >> level? > > That's a good question. I'm not sure. I think the answer has to be no. > I'd welcome any input on that. We have a dictum (translated word by word ...): One can't even think as foolish as it sometimes happens. When escaping is specified, escaping the escape character itself should be mandatory - just for being complete and do not ask for future trouble. Of course - outside of quotes only. Cheers -- Jens Rehsack rehs...@gmail.com
