Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
P
Postgres FD Implementation
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Abuhujair Javed
Postgres FD Implementation
Commits
3b1790f9
Commit
3b1790f9
authored
Jun 27, 2006
by
Bruce Momjian
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add PQescapeIdentifier() to libpq
Christopher Kings-Lynne
parent
59a853e4
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
106 additions
and
4 deletions
+106
-4
doc/src/sgml/libpq.sgml
doc/src/sgml/libpq.sgml
+63
-1
src/interfaces/libpq/exports.txt
src/interfaces/libpq/exports.txt
+3
-1
src/interfaces/libpq/fe-exec.c
src/interfaces/libpq/fe-exec.c
+37
-1
src/interfaces/libpq/libpq-fe.h
src/interfaces/libpq/libpq-fe.h
+3
-1
No files found.
doc/src/sgml/libpq.sgml
View file @
3b1790f9
<!-- $PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.21
1 2006/05/23 22:13:19
momjian Exp $ -->
<!-- $PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.21
2 2006/06/27 00:03:41
momjian Exp $ -->
<chapter id="libpq">
<title><application>libpq</application> - C Library</title>
...
...
@@ -2279,6 +2279,68 @@ in favor of <function>PQescapeStringConn</>.
</para>
</sect2>
<sect2 id="libpq-exec-escape-identifier">
<title>Escaping Identifier for Inclusion in SQL Commands</title>
<indexterm zone="libpq-exec-escape-identifier"><primary>PQescapeIdentifier</></>
<indexterm zone="libpq-exec-escape-identifier"><primary>escaping strings</></>
<para>
<function>PQescapeIdentifier</function> escapes a string for use
as an identifier name within an SQL command. For example; table names,
column names, view names and user names are all identifiers.
Double quotes (") must be escaped to prevent them from being interpreted
specially by the SQL parser. <function>PQescapeIdentifier</> performs this
operation.
</para>
<tip>
<para>
It is especially important to do proper escaping when handling strings that
were received from an untrustworthy source. Otherwise there is a security
risk: you are vulnerable to <quote>SQL injection</> attacks wherein unwanted
SQL commands are fed to your database.
</para>
</tip>
<para>
Note that it is still necessary to do escaping of identifiers when
using functions that support parameterized queries such as <function>PQexecParams</> or
its sibling routines. Only literal values are automatically escaped
using these functions, not identifiers.
<synopsis>
size_t PQescapeIdentifier (char *to, const char *from, size_t length);
</synopsis>
</para>
<para>
The parameter <parameter>from</> points to the first character of the
string that is to be escaped, and the <parameter>length</> parameter
gives the number of characters in this string. A terminating zero byte
is not required, and should not be counted in <parameter>length</>. (If
a terminating zero byte is found before <parameter>length</> bytes are
processed, <function>PQescapeIdentifier</> stops at the zero; the
behavior is thus rather like <function>strncpy</>.) <parameter>to</>
shall point to a buffer that is able to hold at least one more character
than twice the value of <parameter>length</>, otherwise the behavior is
undefined. A call to <function>PQescapeIdentifier</> writes an escaped
version of the <parameter>from</> string to the <parameter>to</> buffer,
replacing special characters so that they cannot cause any harm, and
adding a terminating zero byte. The double quotes that may surround
<productname>PostgreSQL</> identifiers are not included in the result
string; they should be provided in the SQL command that the result is
inserted into.
</para>
<para>
<function>PQescapeIdentifier</> returns the number of characters written
to <parameter>to</>, not including the terminating zero byte.
</para>
<para>
Behavior is undefined if the <parameter>to</> and <parameter>from</>
strings overlap.
</para>
</sect2>
<sect2 id="libpq-exec-escape-bytea">
<title>Escaping Binary Strings for Inclusion in SQL Commands</title>
...
...
src/interfaces/libpq/exports.txt
View file @
3b1790f9
# $PostgreSQL: pgsql/src/interfaces/libpq/exports.txt,v 1.1
1 2006/05/28 22:42:05 tgl
Exp $
# $PostgreSQL: pgsql/src/interfaces/libpq/exports.txt,v 1.1
2 2006/06/27 00:03:41 momjian
Exp $
# Functions to be exported by libpq DLLs
PQconnectdb 1
PQsetdbLogin 2
...
...
@@ -130,3 +130,5 @@ PQescapeByteaConn 127
PQencryptPassword 128
PQisthreadsafe 129
enlargePQExpBuffer 130
PQescapeIdentifier 131
src/interfaces/libpq/fe-exec.c
View file @
3b1790f9
...
...
@@ -8,7 +8,7 @@
*
*
* IDENTIFICATION
* $PostgreSQL: pgsql/src/interfaces/libpq/fe-exec.c,v 1.18
6 2006/05/28 21:13:54 tgl
Exp $
* $PostgreSQL: pgsql/src/interfaces/libpq/fe-exec.c,v 1.18
7 2006/06/27 00:03:41 momjian
Exp $
*
*-------------------------------------------------------------------------
*/
...
...
@@ -2515,6 +2515,42 @@ PQescapeString(char *to, const char *from, size_t length)
static_std_strings
);
}
/*
* Escaping arbitrary strings to get valid SQL identifier strings.
*
* Replaces " with "".
*
* length is the length of the source string. (Note: if a terminating NUL
* is encountered sooner, PQescapeIdentifier stops short of "length"; the behavior
* is thus rather like strncpy.)
*
* For safety the buffer at "to" must be at least 2*length + 1 bytes long.
* A terminating NUL character is added to the output string, whether the
* input is NUL-terminated or not.
*
* Returns the actual length of the output (not counting the terminating NUL).
*/
size_t
PQescapeIdentifier
(
char
*
to
,
const
char
*
from
,
size_t
length
)
{
const
char
*
source
=
from
;
char
*
target
=
to
;
size_t
remaining
=
length
;
while
(
remaining
>
0
&&
*
source
!=
'\0'
)
{
if
(
*
source
==
'"'
)
*
target
++
=
*
source
;
*
target
++
=
*
source
++
;
remaining
--
;
}
/* Write the terminating NUL character. */
*
target
=
'\0'
;
return
target
-
to
;
}
/*
* PQescapeBytea - converts from binary string to the
* minimal encoding necessary to include the string in an SQL
...
...
src/interfaces/libpq/libpq-fe.h
View file @
3b1790f9
...
...
@@ -7,7 +7,7 @@
* Portions Copyright (c) 1996-2006, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California
*
* $PostgreSQL: pgsql/src/interfaces/libpq/libpq-fe.h,v 1.1
29 2006/05/23 22:13:19
momjian Exp $
* $PostgreSQL: pgsql/src/interfaces/libpq/libpq-fe.h,v 1.1
30 2006/06/27 00:03:42
momjian Exp $
*
*-------------------------------------------------------------------------
*/
...
...
@@ -436,6 +436,8 @@ extern unsigned char *PQescapeByteaConn(PGconn *conn,
size_t
*
to_length
);
extern
unsigned
char
*
PQunescapeBytea
(
const
unsigned
char
*
strtext
,
size_t
*
retbuflen
);
extern
size_t
PQescapeIdentifier
(
char
*
to
,
const
char
*
from
,
size_t
length
);
/* These forms are deprecated! */
extern
size_t
PQescapeString
(
char
*
to
,
const
char
*
from
,
size_t
length
);
extern
unsigned
char
*
PQescapeBytea
(
const
unsigned
char
*
from
,
size_t
from_length
,
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
