[exim] quote_pgsql

Inizio della pagina
Delete this message
Reply to this message
Autore: Jasen Betts
Data:  
To: exim-users
Oggetto: [exim] quote_pgsql

http://www.exim.org/exim-html-current/doc/html/spec_html/ch-file_and_database_lookups.html

spec says:
> The quote_mysql, quote_pgsql, and quote_oracle expansion operators
> convert newline, tab, carriage return, and backspace to \n, \t, \r,
> and \b respectively, and the characters single-quote, double-quote,
> and backslash itself are escaped with backslashes. The quote_pgsql
> expansion operator, in addition, escapes the percent and underscore
> characters. This cannot be done for MySQL because these escapes are
> not recognized in contexts where these characters are not special.


this is mysterious:

In postgresql queries {\_} means the same as {_} in any place where
{\n} means newline. if this was doing something useful it was being
misused.

It's also wrong. {'} is actually escaped as {''} as it should be.
escaping it as {\'} leads to sql injection vulerability where
standard_confroming_strings are used accidentally.

So, strange, but harmless.


--
umop apisdn