Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:23763 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 38504 invoked by uid 1010); 29 May 2006 06:01:00 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 38489 invoked from network); 29 May 2006 06:01:00 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 29 May 2006 06:01:00 -0000 X-PHP-List-Original-Sender: chriskl@familyhealth.com.au X-Host-Fingerprint: 203.59.102.239 iihouston.familyhealth.com.au FreeBSD 4.6-4.9 Received: from ([203.59.102.239:1330] helo=houston.familyhealth.com.au) by pb1.pair.com (ecelerity 2.0 beta r(6323M)) with SMTP id 47/41-09162-81E8A744 for ; Mon, 29 May 2006 02:00:58 -0400 Received: from houston.familyhealth.com.au (localhost [127.0.0.1]) by houston.familyhealth.com.au (Postfix) with ESMTP id 2B0372573B for ; Mon, 29 May 2006 14:00:52 +0800 (WST) Received: from [127.0.0.1] (work-48.internal [192.168.0.48]) by houston.familyhealth.com.au (Postfix) with ESMTP id 4DD3325723 for ; Mon, 29 May 2006 14:00:50 +0800 (WST) Message-ID: <447A8E91.2030600@familyhealth.com.au> Date: Mon, 29 May 2006 14:02:57 +0800 User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: internals@lists.php.net References: <138663365.20060514205903@marcus-boerger.de> <038d01c676f8$ab9b3380$6602a8c0@foxbox> <44685D24.2000801@php.net> <1147708994.14148.23.camel@notebook.local> <16710545416.20060515202714@marcus-boerger.de> <1147721541.14148.47.camel@notebook.local> <4468DB43.1020005@emini.dk> <7.0.1.0.2.20060515194051.02b32ef8@zend.com> <1148496966.19173.79.camel@notebook.local> <454303585.20060524213714@marcus-boerger.de> <44765279.8000601@akbkhome.com> <7.0.1.0.2.20060526040633.086814a0@zend.com> <4476608C.6070503@akbkhome.com> <7.0.1.0.2.20060526050422.08680c20@zend.com> <1376291629.20060526040801@marcus-boerger.de> <7.0.1.0.2.20060526120130.03c51060@zend.com> <4476C5C1.9080704@calorieking.com> In-Reply-To: <4476C5C1.9080704@calorieking.com> Content-Type: multipart/mixed; boundary="------------000802000909090806070006" X-familyhealth-MailScanner-Information: Please contact the ISP for more information X-familyhealth-MailScanner: Found to be clean X-familyhealth-MailScanner-From: chriskl@familyhealth.com.au Subject: Re: [PHP-DEV] Recent PostgreSQL serious security hole From: chriskl@familyhealth.com.au (Christopher Kings-Lynne) --------------000802000909090806070006 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit As a follow up I've attached my initial patch for this. Can people please review? Chris Christopher Kings-Lynne wrote: > Hi, > > I'm starting on a pg_real_escape_string and pg_real_escape_bytea > function for PostgreSQL, based on this security release: > > http://www.postgresql.org/docs/techdocs.49 > > Is anyone else working on it, or is it fine that I do it? I'll let you > know if it's going to take me too long. > > Basically the new functions are analagous to the > mysql_real_escape_string function. The difference will be that the > pgsql function will have the optional DB connection resource as the > first parameter rather than the second. (Same as other pgsql functions) > > Any comments? > > There may be cause to backport these functions ... although the existing > pg_escape_string function is safe in a single threaded context. That's > your guys call. > > Chris > --------------000802000909090806070006 Content-Type: application/x-gzip; name="pgsql.txt.gz" Content-Transfer-Encoding: base64 Content-Disposition: inline; filename="pgsql.txt.gz" H4sICKmNekQAA3Bnc3FsLnR4dADtGP1v2kb0Z/gr3tjWmGATICUfVNHqmAthdQyxTddumSzH PogVx6a2aZtF+d/37s4EDGTJ1GmbtkYK2O/e9/fxA9DP2c50kn4IdzKaZvXp1bTcj3z6ubN0 4sXROJjUb16Wj778r2xqFoyDkHZgJ6HTOA2yOLndQcFKmng7G6TKH8sJzZKAfgyiCST4lQZx BM36y/2yH4zHoMxASdgrLDRVFGWTBaU2/OhG0Go09qDV7LR3O419UBr4V+L8arXaRrLWIZy5 t4Ku0e60DzuNXUFXfv0alP2mvAc1/NyH16/LABCHvqN3T3S1Zx19lz8w+BxWmQNB0b8b9qxz 3dH7x92+WWFYquZop0R7w2DS9IMMw3Oaeu6UWuiGaCLjeZec9A0inapviTM8J5amDonclH8Z xmk2SSgyhP16q96AOIHQzWjya7Varj3JWouj6DH2jjYwjBUZB3V0W0HGZvVnkZByfJtRd13A yBAijt/bRF0zY3fFjM0iUppFcXQZxt71Rh9ZxDYGxrE+0N70jd6akEb98zOEeDe+PZuGNF3n r5117dFQJxZjfZzE1zSCMLicfoAZFlQCn4LIjz+ljPdjFfZpt/VPlBiKfbTGiiX2UGFM040l hgesxma8xtrQPOy02p1G86HGHikxRvZEjR1gcdUO8gorlURkTonaJaajdrtO39D0UZdIFe50 ZUzrVxUZKhovM4fXGL4PT4fiGWpQubgIIi+c+fRVBV/5Ef4fj/p6t3B8ccGVXWAxBtUq3DFF yDubGFZ/YEgVjsWE8oe6V6m+YhiLVNkSucLIt2RoyrB16n6ksJSIqHziJrdbSKkgJdrF9JdW zajsdCHnxcrypN9zTgFhopWQd8OBaVvwgLSS/EsHD1m7DNP7xECjtEG3iCyKdAkwVE31jNjE tGzVHi3x6NmmaliqZqNfVs/OyTuiccpl4NAkCCOraALaXQKbxBrpKNIcmCd9oncLVhrd8xEx 369xZyfrEhb462KGI1sbDN93VVtdhyLdErBHNqFaRCj5lpjHA6tvv186K/Q7liW1r7H+X8R6 zcF8qIo+cQ80TKloKj+ppoHxyFsKRHEGNHIvQ+q/yltEQFNwIx+uqIvTJeUo4xhHTc5sfcjk TelvnTC5zEfHy267URgw+A5zPYvzJYeWmg1Qp4mYEjhd2o1Oe+9hujB2xfkyJ9swXF4uDZfm wS7b4NgXCuAThjX6EyJNJ04YOyml13KpZIx0vbp6ltEwXDrb2YZZFoRBdgvjWeRlaGgK2zvl 2rfBeEPssfQX3BLqho7YlJxU7Ho538ewLvlCNUf6lkbozTKsiSroXBSwblOBNYhz5qTddqst H0INvw/RTW3up/syoMX39/fMRuBW+nSzoYh3d3cH0yTOYhDSYaPR0i8JTeNZ4lG2b0SUO1H+ dU7ju5nLl1kgnGoOH+P+lrHQe1cuPt3iSXblZuB6HhZGlnKEBUOsKC/2GSGLDjd/ZPAutjkU KPIO4/DbRzeE7W2eWE4YRNdwxH3Emviwx9iDOGSAIMog8BFDabJXrtj2OIlvciIZttEXCwYM P4udkEbzN4a8/E6TJE7wBV/TT0HmXUk/Y4dyjNGZo5o9S+JrCY4Tz8Ve0uywxxJmg/QbpoYz oZkzdRP3huKWmzr0s4Q7yAsmonp0dKL29ZFJcvpSyST2yDScE1W3CJ9Q2FTY5yW65loAuGnD Xk/CkLuzMOP+EOMsX9Bw8VGxheMKbbyRAj8/W7DgaraeVLOFai48/iU655oKiT+ZA6Pn8AmC OToy7BX1GDHTajnYIljw4gUPLItsLn1V9n2JR4mH5wTHxqmD42wwMjXSEgxxG83zRYZl4wIf h35hJ4yucQ8IaX6OD9O5o1EATyBJpFY1dcfUoTduiPcgaZ47MqD/mtz3IrkYASZTdf3yN9cs i2WeejIsmLzgucfZ5H7hAPjmCBqsQ/EWMjx3+CiUKrw4WXlxrA58n1ZyO6vCtfiZ+8yyTZx2 usSkCg1lZImC7nnXyLtL7VkthLetL+ggnP6v7B6c4dfm8bV5/EebB/9N51/fO/LVqMaXo7UN hS8xmzpLcS8ptA/lOQsIE/0MvDp06TShnptRv843qdWOsrKK8GvCEx1B7GwvG3KzhUvbHnsQ OxuS/om4wx8ODWk92nlq4W3A4eFz/NhL6FiqzPfh+nSisA6pCEaKMKoCtmWe6ZajaTIQJ78C YTbbV0H6sEsDPvsPvnoFM2wBm5fIKgRRiqnp1/kNG+14ImNWd9knckIMmsdS4jKI3OR2daKs 5MNGpGIu/FEy5JPl+bnQPmS3nN29vZZ8IG45hTwoVLQkzaI0mETUB3a8XV0raeE7niHo2beq vsGzSpMnEXNlnkX5b2p4e/V9FlAciFsXjS1uZ2mcUIrUfzqDuCf+sgQSkS3mz2py/A6MAO/9 OxkAAA== --------------000802000909090806070006--