package exim4-daemon-heavy tags #369351 - fixed-upstream user [EMAIL PROTECTED] usertags 369351 - status-RESOLVED resolution-FIXED usertags 369351 + status-REOPENED thanks
On Fri, Jun 30, 2006 at 06:18:37PM +0200, Florian Weimer wrote: > * Marc Haber: > > >> +The original code quoted single quotes as \' which is documented as > >> valid in > >> +the O'Reilly book "Practical PostgreSQL" (first edition) as an > >> alternative to > >> +the SQL standard '' way of representing a single quote as data. > >> However, in > >> +June 2006 there was some security issue with using \' and so this has > >> been > >> +changed. > > This is still not correct. You need to deal with multi-byte character > encodings while quoting, otherwise you still suffer from the > vulnerability for certain encodings. > > >> +[Note: There is a function called PQescapeStringConn() that quotes > >> strings. > >> +This cannot be used because it needs a PGconn argument (the connection > >> handle). > >> +Why, I don't know. Seems odd for just string escaping...] > > PQescapeStringConn uses the connection handle to determine the > encoding of the passed string. If you can't supply the handle, > PQescapeString is the better choice, but it relies on an internal > global variable. > > I'm going to have a look at how Exim deals with SQL backends. Perhaps > there is a reasonably portable way to do away with all that quoting. I have forwarded this to the exim bugzilla bug. -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
