yehhh... just had a look to postgresql docu.. I found that both parameters 'standard_conforming_strings' and 'backslash_quote' were introduced in security update 7.4.13 My client has 7.4.3.. with a lot of security problems :) I give him know about it.
On Sep 30, 4:05 pm, mdipierro <[email protected]> wrote: > that may work but you would need to try. > > try insert a ' and \ in a text field and see if you get any > OperationalError > > On Sep 30, 8:59 am, Adrian Klaver <[email protected]> wrote: > > > > > On Thursday 30 September 2010 6:47:38 am mdipierro wrote: > > > > The problem is that postgresql before 8.2 was not conform to the SQL > > > specs and uses > > > > \' to escape quotes instead of '' > > > > even in 8.2 it was optional and had to be set with the command that > > > gives you trouble. > > > If its only a matter of \' then see > > here:http://www.postgresql.org/docs/7.4/interactive/runtime-config.html#RU... > > > "backslash_quote (string) > > > This controls whether a quote mark can be represented by \' in a string > > literal. The preferred, SQL-standard way to represent a quote mark is by > > doubling it ('') but PostgreSQL has historically also accepted \'. However, > > use > > of \' creates security risks because in some client character set encodings, > > there are multibyte characters in which the last byte is numerically > > equivalent > > to ASCII \. If client-side code does escaping incorrectly then a > > SQL-injection > > attack is possible. This risk can be prevented by making the server reject > > queries in which a quote mark appears to be escaped by a backslash. The > > allowed > > values of backslash_quote are on (allow \' always), off (reject always), and > > safe_encoding (allow only if client encoding does not allow ASCII \ within a > > multibyte character). safe_encoding is the default setting. " > > > -- > > Adrian Klaver > > [email protected]
