X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/d7d7b7b91dd75cec636fc144da7e27eed860f971..184e88237dea64ce48076cdd0184612d057cbafd:/src/src/lookups/pgsql.c?ds=inline diff --git a/src/src/lookups/pgsql.c b/src/src/lookups/pgsql.c index 207422c6d..e6e8f70ba 100644 --- a/src/src/lookups/pgsql.c +++ b/src/src/lookups/pgsql.c @@ -1,10 +1,10 @@ -/* $Cambridge: exim/src/src/lookups/pgsql.c,v 1.4 2006/02/07 11:19:01 ph10 Exp $ */ +/* $Cambridge: exim/src/src/lookups/pgsql.c,v 1.9 2007/01/08 10:50:19 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2006 */ +/* Copyright (c) University of Cambridge 1995 - 2007 */ /* See the file NOTICE for conditions of use and distribution. */ /* Thanks to Petr Cech for contributing the original code for these @@ -76,6 +76,28 @@ while ((cn = pgsql_connections) != NULL) } +/************************************************* +* Notice processor function for pgsql * +*************************************************/ + +/* This function is passed to pgsql below, and called for any PostgreSQL +"notices". By default they are written to stderr, which is undesirable. + +Arguments: + arg an opaque user cookie (not used) + message the notice + +Returns: nothing +*/ + +static void +notice_processor(void *arg, const char *message) +{ +arg = arg; /* Keep compiler happy */ +DEBUG(D_lookup) debug_printf("PGSQL: %s\n", message); +} + + /************************************************* * Internal search function * @@ -106,7 +128,7 @@ Arguments: server the server string; this is in dynamic memory and can be updated resultptr where to store the result errmsg where to point an error message - defer_break TRUE if no more servers are to be tried after DEFER + defer_break set TRUE if no more servers are to be tried after DEFER do_cache set FALSE if data is changed Returns: OK, FAIL, or DEFER @@ -243,10 +265,21 @@ if (cn == NULL) *errmsg = string_sprintf("PGSQL connection failed: %s", PQerrorMessage(pg_conn)); PQfinish(pg_conn); - *defer_break = FALSE; goto PGSQL_EXIT; } + /* Set the client encoding to SQL_ASCII, which means that the server will + not try to interpret the query as being in any fancy encoding such as UTF-8 + or other multibyte code that might cause problems with escaping. */ + + PQsetClientEncoding(pg_conn, "SQL_ASCII"); + + /* Set the notice processor to prevent notices from being written to stderr + (which is what the default does). Our function (above) just produces debug + output. */ + + PQsetNoticeProcessor(pg_conn, notice_processor, NULL); + /* Add the connection to the cache */ cn = store_get(sizeof(pgsql_connection)); @@ -294,7 +327,6 @@ else *errmsg = string_sprintf("PGSQL: query failed: %s (%s) (%s)\n", PQresultErrorMessage(pg_result), PQresStatus(PQresultStatus(pg_result)), query); - *defer_break = FALSE; goto PGSQL_EXIT; } @@ -395,7 +427,7 @@ DEBUG(D_lookup) debug_printf("PGSQL query: %s\n", query); while ((server = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL) { - BOOL defer_break; + BOOL defer_break = FALSE; int rc = perform_pgsql_search(query, server, result, errmsg, &defer_break, do_cache); if (rc != DEFER || defer_break) return rc; @@ -422,6 +454,16 @@ to allow escaping "on spec". If you use something like "where id="ab\%cd" it does treat the string as "ab%cd". So we can safely quote percent and underscore. [This is different to MySQL, where you can't do this.] +The original code quoted single quotes as \' which is documented as valid in +the O'Reilly book "Practical PostgreSQL" (first edition) as an alternative to +the SQL standard '' way of representing a single quote as data. However, in +June 2006 there was some security issue with using \' and so this has been +changed. + +[Note: There is a function called PQescapeStringConn() that quotes strings. +This cannot be used because it needs a PGconn argument (the connection handle). +Why, I don't know. Seems odd for just string escaping...] + Arguments: s the string to be quoted opt additional option text or NULL if none @@ -447,7 +489,12 @@ t = quoted = store_get(Ustrlen(s) + count + 1); while ((c = *s++) != 0) { - if (Ustrchr("\n\t\r\b\'\"\\%_", c) != NULL) + if (c == '\'') + { + *t++ = '\''; + *t++ = '\''; + } + else if (Ustrchr("\n\t\r\b\"\\%_", c) != NULL) { *t++ = '\\'; switch(c)