* Martin Pitt: > ./src/lookups/pgsql.c, pgsql_quote() currently uses \' to > escape quoting, which makes it vulnerable against this attack with > earlier PostgreSQL versions, and will break with the current one > (since it disables this method of quote escaping by default in > affected client encodings). A quick fix is to change the function to > use '' instead of \', but a better fix is to completely replace the > loop with an invocation of PQescapeString() from libpq.
PQescapeString is deprecated because given its interface, the security bug cannot be closed completely. You really should use PQescapeStringConn. Would you add this information to the other bug reports, too? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
