git.postgresql.org Git - postgresql.git/commitdiff

diff --git a/doc/src/sgml/syntax.sgml b/doc/src/sgml/syntax.sgml

index 48bf5a4feb8e914bc7f331b8e09aab03d32178a9..cf929f0b72e86004c803ec9f9406c2466ae4be15 100644 (file)

--- a/doc/src/sgml/syntax.sgml

+++ b/doc/src/sgml/syntax.sgml

-<!-- $PostgreSQL: pgsql/doc/src/sgml/syntax.sgml,v 1.131 2009年04月27日 16:27:36 momjian Exp $ -->

+<!-- $PostgreSQL: pgsql/doc/src/sgml/syntax.sgml,v 1.132 2009年05月05日 18:32:17 petere Exp $ -->

<chapter id="sql-syntax">

<title>SQL Syntax</title>

specified.

</para>

+ <para>

+ Also, the Unicode escape syntax for string constants only works

+ when the configuration

+ parameter <xref linkend="guc-standard-conforming-strings"> is

+ turned on. This is because otherwise this syntax could confuse

+ clients that parse the SQL statements to the point that it could

+ lead to SQL injections and similar security issues. If the

+ parameter is set to off, this syntax will be rejected with an

+ error message.

+ </para>

+

<para>

To include the escape character in the string literally, write it

twice.

diff --git a/src/backend/parser/scan.l b/src/backend/parser/scan.l

index 8551cd27538eed6a8b1b2fa75560ec251c104a14..eb0fc10c8f3df747ac2d955805304fda72836d8b 100644 (file)

--- a/src/backend/parser/scan.l

+++ b/src/backend/parser/scan.l

* Portions Copyright (c) 1994, Regents of the University of California

*

* IDENTIFICATION

- * $PostgreSQL: pgsql/src/backend/parser/scan.l,v 1.151 2009年04月19日 21:08:54 tgl Exp $

+ * $PostgreSQL: pgsql/src/backend/parser/scan.l,v 1.152 2009年05月05日 18:32:17 petere Exp $

*

*-------------------------------------------------------------------------

*/

startlit();

}

{xusstart} {

+ if (!standard_conforming_strings)

+ ereport(ERROR,

+ (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),

+ errmsg("unsafe use of string constant with Unicode escapes"),

+ errdetail("String constants with Unicode escapes cannot be used when standard_conforming_strings is off.")));

SET_YYLLOC();

BEGIN(xus);

startlit();

diff --git a/src/test/regress/expected/strings.out b/src/test/regress/expected/strings.out

index 6b9dc5df9f46983a2d2e07eecd087e5ab6cbe2c2..831fb9e2037cd82b95a5e1fb0582963344029671 100644 (file)

--- a/src/test/regress/expected/strings.out

+++ b/src/test/regress/expected/strings.out

LINE 3: ' - third line'

^

-- Unicode escapes

+SET standard_conforming_strings TO on;

SELECT U&'d0061円t\+000061' AS U&"d0061円t\+000061";

data

------

dat\+000061

(1 row)

+SELECT U&' \' UESCAPE '!' AS "tricky";

+ tricky

+--------

+ \

+(1 row)

+

+SELECT 'tricky' AS U&"\" UESCAPE '!';

+ \

+--------

+ tricky

+(1 row)

+

SELECT U&'wrong: 061円';

ERROR: invalid Unicode escape value at or near "061円'"

LINE 1: SELECT U&'wrong: 061円';

ERROR: invalid Unicode escape character at or near "+'"

LINE 1: SELECT U&'wrong: +0061' UESCAPE '+';

^

+SET standard_conforming_strings TO off;

+SELECT U&'d0061円t\+000061' AS U&"d0061円t\+000061";

+ERROR: unsafe use of string constant with Unicode escapes

+DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off.

+SELECT U&'d!0061t\+000061' UESCAPE '!' AS U&"d*0061t\+000061" UESCAPE '*';

+ERROR: unsafe use of string constant with Unicode escapes

+DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off.

+SELECT U&' \' UESCAPE '!' AS "tricky";

+ERROR: unsafe use of string constant with Unicode escapes

+DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off.

+SELECT 'tricky' AS U&"\" UESCAPE '!';

+ \

+--------

+ tricky

+(1 row)

+

+SELECT U&'wrong: 061円';

+ERROR: unsafe use of string constant with Unicode escapes

+DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off.

+SELECT U&'wrong: \+0061';

+ERROR: unsafe use of string constant with Unicode escapes

+DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off.

+SELECT U&'wrong: +0061' UESCAPE '+';

+ERROR: unsafe use of string constant with Unicode escapes

+DETAIL: String constants with Unicode escapes cannot be used when standard_conforming_strings is off.

+RESET standard_conforming_strings;

--

-- test conversions between various string types

-- E021-10 implicit casting among the character data types

diff --git a/src/test/regress/sql/strings.sql b/src/test/regress/sql/strings.sql

index 0da88c7b29e6f09effba211cb4f51903bd9156af..a28c75ac0449ec9c70738bea08c91790c4c5e610 100644 (file)

--- a/src/test/regress/sql/strings.sql

+++ b/src/test/regress/sql/strings.sql

AS "Illegal comment within continuation";

-- Unicode escapes

+SET standard_conforming_strings TO on;

+

+SELECT U&'d0061円t\+000061' AS U&"d0061円t\+000061";

+SELECT U&'d!0061t\+000061' UESCAPE '!' AS U&"d*0061t\+000061" UESCAPE '*';

+

+SELECT U&' \' UESCAPE '!' AS "tricky";

+SELECT 'tricky' AS U&"\" UESCAPE '!';

+

+SELECT U&'wrong: 061円';

+SELECT U&'wrong: \+0061';

+SELECT U&'wrong: +0061' UESCAPE '+';

+

+SET standard_conforming_strings TO off;

+

SELECT U&'d0061円t\+000061' AS U&"d0061円t\+000061";

SELECT U&'d!0061t\+000061' UESCAPE '!' AS U&"d*0061t\+000061" UESCAPE '*';

+SELECT U&' \' UESCAPE '!' AS "tricky";

+SELECT 'tricky' AS U&"\" UESCAPE '!';

+

SELECT U&'wrong: 061円';

SELECT U&'wrong: \+0061';

SELECT U&'wrong: +0061' UESCAPE '+';

+RESET standard_conforming_strings;

+

--

-- test conversions between various string types

-- E021-10 implicit casting among the character data types