Re: [HACKERS] PQescapeIdentifier

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Bruce Momjian <bruce@momjian.us>
Cc: Christopher Kings-Lynne <chriskl@familyhealth.com.au>, PostgreSQL-patches <pgsql-patches@postgresql.org>
Date: 2006-06-27T01:39:57Z
Lists: pgsql-hackers
Bruce Momjian <bruce@momjian.us> writes:
> Tom Lane wrote:
>> Have either of you inquired into the encoding-safety of this code?
>> It certainly looks like no consideration was given for that.

> I thought of that but I assume we were not accepting user-supplied
> identifiers for this --- that this was only for application use.  Am I
> wrong?

By definition, an escaping routine is not supposed to trust the data it
is handed.  We *will* be seeing a CVE report if this function has got
any escaping vulnerability.

If you insist on a practical example, I can certainly imagine someone
thinking it'd be cool to allow searches on a user-selected column, and
implementing that by passing the user-given column name straight into
the query with only PQescapeIdentifier for safety.

			regards, tom lane