Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Provide function to escape strings provided to Postgres? #575

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jsdw opened this issue Feb 24, 2020 · 3 comments · Fixed by #702
Closed

Provide function to escape strings provided to Postgres? #575

jsdw opened this issue Feb 24, 2020 · 3 comments · Fixed by #702

Comments

@jsdw
Copy link

jsdw commented Feb 24, 2020

I have a program to help instantiate my database, which internally runs:

CREATE USER foo WITH PASSWORD user-input-here

Since prepared statements (and so $1, $2..) do not work in this context, is there a way that I can escape the password string provided by the user before passing it to the above?

Might this be a useful piece of functionality to provide from this library? (I appreciate that its use should be discouraged).
@sfackler
Copy link
Owner

It probably does make sense to provide this for these kinds of use cases. I think placing the function in the postgres-protocol crate and sticking some sternly-worded docs on it should be sufficient to discourage overuse.

@codesections codesections mentioned this issue Apr 22, 2020
Closed
@bbqsrc
Copy link

bbqsrc commented Sep 14, 2020

It isn't possible to put it in postgres-protocol from what I can see due to the dependency on the first field's PGconn:

/* Quoting strings before inclusion in queries. */
extern size_t PQescapeStringConn(PGconn *conn,
				 char *to, const char *from, size_t length,
				 int *error);
extern char *PQescapeLiteral(PGconn *conn, const char *str, size_t len);
extern char *PQescapeIdentifier(PGconn *conn, const char *str, size_t len);

Do you have a suggestion on where it should go given this?

@jeff-davis jeff-davis mentioned this issue Nov 29, 2020
Merged
@jeff-davis
Copy link
Contributor

I created PR #702 to address this.

I don't think PQescapeStringConn is necessary. It doesn't provide much value over PQescapeLiteral for new applications, and as you say, it requires the connection object which is annoying.

PQescapeLiteral in libpq does take the connection object as well, but it's only used to determine the client encoding, and report errors. Neither seems relevant because rust-postgres always uses UTF-8 and doesn't try to handle out-of-memory errors.

So I implemented it in postgres-protocol by just porting the libpq code to rust.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add escape_identifier() and escape_literal(). jeff-davis/rust-postgres
4 participants
@jeff-davis @bbqsrc @sfackler @jsdw