-/* $Cambridge: exim/src/src/lookups/pgsql.c,v 1.3 2005/09/13 11:27:45 ph10 Exp $ */
+/* $Cambridge: exim/src/src/lookups/pgsql.c,v 1.6 2006/07/14 14:21:27 ph10 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2005 */
+/* Copyright (c) University of Cambridge 1995 - 2006 */
/* See the file NOTICE for conditions of use and distribution. */
/* Thanks to Petr Cech for contributing the original code for these
goto PGSQL_EXIT;
}
+ /* Set the client encoding to SQL_ASCII, which means that the server will
+ not try to interpret the query as being in any fancy encoding such as UTF-8
+ or other multibyte code that might cause problems with escaping. */
+
+ PQsetClientEncoding(pg_conn, "SQL_ASCII");
+
/* Add the connection to the cache */
cn = store_get(sizeof(pgsql_connection));
does treat the string as "ab%cd". So we can safely quote percent and
underscore. [This is different to MySQL, where you can't do this.]
+The original code quoted single quotes as \' which is documented as valid in
+the O'Reilly book "Practical PostgreSQL" (first edition) as an alternative to
+the SQL standard '' way of representing a single quote as data. However, in
+June 2006 there was some security issue with using \' and so this has been
+changed.
+
+[Note: There is a function called PQescapeStringConn() that quotes strings.
+This cannot be used because it needs a PGconn argument (the connection handle).
+Why, I don't know. Seems odd for just string escaping...]
+
Arguments:
s the string to be quoted
opt additional option text or NULL if none
while ((c = *s++) != 0)
{
- if (Ustrchr("\n\t\r\b\'\"\\%_", c) != NULL)
+ if (c == '\'')
+ {
+ *t++ = '\'';
+ *t++ = '\'';
+ }
+ else if (Ustrchr("\n\t\r\b\"\\%_", c) != NULL)
{
*t++ = '\\';
switch(c)