Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:23776 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 67210 invoked by uid 1010); 29 May 2006 20:55:30 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 67195 invoked from network); 29 May 2006 20:55:30 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 29 May 2006 20:55:30 -0000 X-PHP-List-Original-Sender: helly@php.net X-Host-Fingerprint: 81.169.182.136 ajaxatwork.net Linux 2.4/2.6 Received: from ([81.169.182.136:44011] helo=strato.aixcept.de) by pb1.pair.com (ecelerity 2.0 beta r(6323M)) with SMTP id B6/2F-04939-0CF5B744 for ; Mon, 29 May 2006 16:55:28 -0400 Received: from baumbart.mbo (dslb-084-063-065-246.pools.arcor-ip.net [84.63.65.246]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by strato.aixcept.de (Postfix) with ESMTP id 9586235C1EA; Mon, 29 May 2006 22:55:25 +0200 (CEST) Date: Mon, 29 May 2006 22:57:29 +0200 Reply-To: Marcus Boerger X-Priority: 3 (Normal) Message-ID: <1212468663.20060529225729@marcus-boerger.de> To: Christopher Kings-Lynne Cc: internals@lists.php.net In-Reply-To: <447A8E91.2030600@familyhealth.com.au> References: <138663365.20060514205903@marcus-boerger.de> <038d01c676f8$ab9b3380$6602a8c0@foxbox> <44685D24.2000801@php.net> <1147708994.14148.23.camel@notebook.local> <16710545416.20060515202714@marcus-boerger.de> <1147721541.14148.47.camel@notebook.local> <4468DB43.1020005@emini.dk> <7.0.1.0.2.20060515194051.02b32ef8@zend.com> <1148496966.19173.79.camel@notebook.local> <454303585.20060524213714@marcus-boerger.de> <44765279.8000601@akbkhome.com> <7.0.1.0.2.20060526040633.086814a0@zend.com> <4476608C.6070503@akbkhome.com> <7.0.1.0.2.20060526050422.08680c20@zend.com> <1376291629.20060526040801@marcus-boerger.de> <7.0.1.0.2.20060526120130.03c51060@zend.com> <4476C5C1.9080704@calorieking.com> <447A8E91.2030600@familyhealth.com.au> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Recent PostgreSQL serious security hole From: helly@php.net (Marcus Boerger) Hello Christopher, there's an interesting detail in you patch i never used in the for you did: php_error_docref("function.pg-real-escape-bytea" ...) where the name you passed in is different from the name of the function. That works as expected? On the same thing, you say that the function is deprecated. You may however want to flag the teh deprecated function using the corresponding flag: ZEND_ACC_DEPRECATED. Rest looks correct - of course. best regards marcus Monday, May 29, 2006, 8:02:57 AM, you wrote: > As a follow up I've attached my initial patch for this. Can people > please review? > Chris > Christopher Kings-Lynne wrote: >> Hi, >> >> I'm starting on a pg_real_escape_string and pg_real_escape_bytea >> function for PostgreSQL, based on this security release: >> >> http://www.postgresql.org/docs/techdocs.49 >> >> Is anyone else working on it, or is it fine that I do it? I'll let you >> know if it's going to take me too long. >> >> Basically the new functions are analagous to the >> mysql_real_escape_string function. The difference will be that the >> pgsql function will have the optional DB connection resource as the >> first parameter rather than the second. (Same as other pgsql functions) >> >> Any comments? >> >> There may be cause to backport these functions ... although the existing >> pg_escape_string function is safe in a single threaded context. That's >> your guys call. >> >> Chris >> Best regards, Marcus