-
+
<application>libpq</application> - C Library
-
-
Escaping Identifier for Inclusion in SQL Commands
-
-
-PQescapeIdentifier escapes a string for use
-as an identifier name within an SQL command. For example; table names,
-column names, view names and user names are all identifiers.
-Double quotes (") must be escaped to prevent them from being interpreted
-specially by the SQL parser. PQescapeIdentifier performs this
-operation.
-
-
-
-It is especially important to do proper escaping when handling strings that
-were received from an untrustworthy source. Otherwise there is a security
-risk: you are vulnerable to SQL injection attacks wherein unwanted
-SQL commands are fed to your database.
-
-
-
-Note that it is still necessary to do escaping of identifiers when
-using functions that support parameterized queries such as PQexecParams or
-its sibling routines. Only literal values are automatically escaped
-using these functions, not identifiers.
-
-
-size_t PQescapeIdentifier (char *to, const char *from, size_t length);
-
-
-
-The parameter
from points to the first character of the-string that is to be escaped, and the
length parameter-gives the number of characters in this string. A terminating zero byte
-is not required, and should not be counted in
length. (If-a terminating zero byte is found before
length bytes are-processed, PQescapeIdentifier stops at the zero; the
-behavior is thus rather like
strncpy.) to-shall point to a buffer that is able to hold at least one more character
-than twice the value of
length, otherwise the behavior is-undefined. A call to PQescapeIdentifier writes an escaped
-version of the
from string to the to buffer,-replacing special characters so that they cannot cause any harm, and
-adding a terminating zero byte. The double quotes that may surround
-
PostgreSQL identifiers are not included in the result-string; they should be provided in the SQL command that the result is
-inserted into.
-
-PQescapeIdentifier returns the number of characters written
-to
to, not including the terminating zero byte.-
-Behavior is undefined if the
to and from-strings overlap.
-
-
Escaping Binary Strings for Inclusion in SQL Commands
-# $PostgreSQL: pgsql/src/interfaces/libpq/exports.txt,v 1.12 2006/06/27 00:03:41 momjian Exp $
+# $PostgreSQL: pgsql/src/interfaces/libpq/exports.txt,v 1.13 2006/07/04 13:22:15 momjian Exp $
# Functions to be exported by libpq DLLs
PQconnectdb 1
PQsetdbLogin 2
PQencryptPassword 128
PQisthreadsafe 129
enlargePQExpBuffer 130
-PQescapeIdentifier 131
-
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/interfaces/libpq/fe-exec.c,v 1.187 2006/06/27 00:03:41 momjian Exp $
+ * $PostgreSQL: pgsql/src/interfaces/libpq/fe-exec.c,v 1.188 2006/07/04 13:22:15 momjian Exp $
*
*-------------------------------------------------------------------------
*/
static_std_strings);
}
-/*
- * Escaping arbitrary strings to get valid SQL identifier strings.
- *
- * Replaces " with "".
- *
- * length is the length of the source string. (Note: if a terminating NUL
- * is encountered sooner, PQescapeIdentifier stops short of "length"; the behavior
- * is thus rather like strncpy.)
- *
- * For safety the buffer at "to" must be at least 2*length + 1 bytes long.
- * A terminating NUL character is added to the output string, whether the
- * input is NUL-terminated or not.
- *
- * Returns the actual length of the output (not counting the terminating NUL).
- */
-size_t
-PQescapeIdentifier(char *to, const char *from, size_t length)
-{
- const char *source = from;
- char *target = to;
- size_t remaining = length;
-
- while (remaining > 0 && *source != '\0')
- {
- if (*source == '"')
- *target++ = *source;
- *target++ = *source++;
- remaining--;
- }
-
- /* Write the terminating NUL character. */
- *target = '\0';
-
- return target - to;
-}
-
/*
* PQescapeBytea - converts from binary string to the
* minimal encoding necessary to include the string in an SQL
* Portions Copyright (c) 1996-2006, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California
*
- * $PostgreSQL: pgsql/src/interfaces/libpq/libpq-fe.h,v 1.130 2006/06/27 00:03:42 momjian Exp $
+ * $PostgreSQL: pgsql/src/interfaces/libpq/libpq-fe.h,v 1.131 2006/07/04 13:22:15 momjian Exp $
*
*-------------------------------------------------------------------------
*/
size_t *to_length);
extern unsigned char *PQunescapeBytea(const unsigned char *strtext,
size_t *retbuflen);
-extern size_t PQescapeIdentifier(char *to, const char *from, size_t length);
-
/* These forms are deprecated! */
extern size_t PQescapeString(char *to, const char *from, size_t length);
extern unsigned char *PQescapeBytea(const unsigned char *from, size_t from_length,
projects / postgresql.git / commitdiff