From 376d2ec0874144ee64e21ca79362793f116a381c Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Fri, 30 Oct 2015 14:54:17 +0000 Subject: Lookups: Do not escape percent or underbar in the ${quote_pgsql: } operator. Bug 1706 --- src/src/lookups/pgsql.c | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) (limited to 'src') diff --git a/src/src/lookups/pgsql.c b/src/src/lookups/pgsql.c index 4be3d98f1..01c5375bc 100644 --- a/src/src/lookups/pgsql.c +++ b/src/src/lookups/pgsql.c @@ -413,12 +413,6 @@ return lf_sqlperform(US"PostgreSQL", US"pgsql_servers", pgsql_servers, query, /* The characters that always need to be quoted (with backslash) are newline, tab, carriage return, backspace, backslash itself, and the quote characters. -Percent and underscore are only special in contexts where they can be wild -cards, and this isn't usually the case for data inserted from messages, since -that isn't likely to be treated as a pattern of any kind. However, pgsql seems -to allow escaping "on spec". If you use something like "where id="ab\%cd" it -does treat the string as "ab%cd". So we can safely quote percent and -underscore. [This is different to MySQL, where you can't do this.] The original code quoted single quotes as \' which is documented as valid in the O'Reilly book "Practical PostgreSQL" (first edition) as an alternative to @@ -448,7 +442,7 @@ uschar *quoted; if (opt != NULL) return NULL; /* No options recognized */ while ((c = *t++) != 0) - if (Ustrchr("\n\t\r\b\'\"\\%_", c) != NULL) count++; + if (Ustrchr("\n\t\r\b\'\"\\", c) != NULL) count++; if (count == 0) return s; t = quoted = store_get(Ustrlen(s) + count + 1); @@ -460,7 +454,7 @@ while ((c = *s++) != 0) *t++ = '\''; *t++ = '\''; } - else if (Ustrchr("\n\t\r\b\"\\%_", c) != NULL) + else if (Ustrchr("\n\t\r\b\"\\", c) != NULL) { *t++ = '\\'; switch(c) -- cgit v1.2.3