[switched to -hackers]
Tom Lane wrote:
Rod Taylor <[EMAIL PROTECTED]> writes:
It probably won't be any worse than when '' was rejected for an integer
0.
That analogy is *SO* far off the mark that I have to object.
Fooling with quoting rules will not simply cause clean failures, which
is what you got from ''-no-longer-accepted-by-atoi. What it will cause
is formerly valid input being silently interpreted as something else.
That's bad enough, but it gets worse: formerly secure client code may
now be vulnerable to SQL-injection attacks, because it doesn't know how
to quote text properly.
What we are talking about here is an extremely significant change with
extremely serious consequences, and imagining that it is not will be
a recipe for disaster.
All true. Conversely, there does need to be a path for us to get to
standard behaviour.
I think we're going to need to provide for switchable behaviour, as ugly
as that might be (looking briefly at scan.l it looks like the simplest
way would be a separate state for being inside standard strings, with
the choice of state being made conditionally in the {xqstart} rule).
We can't just break backwards compatibility overnight like this.
cheers
andrew
---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]
