On 2006-02-26, Tatsuo Ishii <[EMAIL PROTECTED]> wrote: >> On 2006-02-20, Tatsuo Ishii <[EMAIL PROTECTED]> wrote: >> > In further investigation, Akio Ishida found this kind of attack is >> > possible even with EUC_JP/UTF-8. >> >> How? > > The details have been sent to cores.
I wasn't asking out of idle curiosity. Some preliminary investigation that I have done suggests that when using UTF-8, the proposed changes do not fix the problem (and may make matters worse). So I want to know whether the problem that I'm looking at is the same thing as the one you're looking at. UTF-8 has the property that neither ' nor \ can appear as part of a valid multibyte sequence. But many places in postgres are extremely sloppy about handling _invalid_ utf-8, and unless you're prepared to make the escape routine fail outright in such cases (which I would strongly favour), it is likely that there will always be ways to get malformed sequences into the backend (which itself is far too lax about parsing them). -- Andrew, Supernews http://www.supernews.com - individual and corporate NNTP services ---------------------------(end of broadcast)--------------------------- TIP 1: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly
