Tom Lane wrote:
> Bruce Momjian <[EMAIL PROTECTED]> writes:
> > Tom Lane wrote:
> >> Have either of you inquired into the encoding-safety of this code?
> >> It certainly looks like no consideration was given for that.
> > I thought of that but I assume we were not accepting user-supplied
> > identifiers for this --- that this was only for application use.  Am I
> > wrong?
> By definition, an escaping routine is not supposed to trust the data it
> is handed.  We *will* be seeing a CVE report if this function has got
> any escaping vulnerability.
> If you insist on a practical example, I can certainly imagine someone
> thinking it'd be cool to allow searches on a user-selected column, and
> implementing that by passing the user-given column name straight into
> the query with only PQescapeIdentifier for safety.

OK, does someone want to fix it, or should I revert it?

  Bruce Momjian   [EMAIL PROTECTED]

  + If your life is a hard drive, Christ can be your backup. +

---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend

Reply via email to