Re: [Pypgsql-users] SQL injection attack

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

>> Should pyPgSQL attempt to mitigate this, or just count on Postgresql to
>> "fix" it?:
>
>AFAICT they fixed it already but the fix involves client
>code having to be modified, so, yes, pyPgSQL needs to be
>released compiled against an updated libpq to take advantage
>of that fix. Which may still leave some "application" code
>having to be fixed, too.

This is the most detailed information I've found:

    http://www.postgresql.org/docs/techdocs.50

That document seems to suggest two slightly different things - that
they now raise an error on invalid multi-character combinations, and/or
that they don't allow backslash escaping when a potentially unsafe
client_encoding is used.

I haven't been able to trigger the problem via pyPgSQL so far, but I
suspect I'm just doing it wrong. The above document suggests quoting '
by doubling it, rather than using the backslash escape, but I can't see
how this is any better.

I also think their "fix" is server-side, rather than in libpq.

-- 
Andrew McNamara, Senior Developer, Object Craft
http://www.object-craft.com.au/