* Marc Haber: >> +The original code quoted single quotes as \' which is documented as valid >> in >> +the O'Reilly book "Practical PostgreSQL" (first edition) as an >> alternative to >> +the SQL standard '' way of representing a single quote as data. However, >> in >> +June 2006 there was some security issue with using \' and so this has been >> +changed.
This is still not correct. You need to deal with multi-byte character encodings while quoting, otherwise you still suffer from the vulnerability for certain encodings. >> +[Note: There is a function called PQescapeStringConn() that quotes >> strings. >> +This cannot be used because it needs a PGconn argument (the connection >> handle). >> +Why, I don't know. Seems odd for just string escaping...] PQescapeStringConn uses the connection handle to determine the encoding of the passed string. If you can't supply the handle, PQescapeString is the better choice, but it relies on an internal global variable. I'm going to have a look at how Exim deals with SQL backends. Perhaps there is a reasonably portable way to do away with all that quoting. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
