diff options
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/runtime.sgml | 31 |
1 files changed, 30 insertions, 1 deletions
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml index f77ee8e035a..718e90d8f85 100644 --- a/doc/src/sgml/runtime.sgml +++ b/doc/src/sgml/runtime.sgml @@ -1,5 +1,5 @@ <!-- -$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.147.2.7 2003/04/04 00:32:57 tgl Exp $ +$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.147.2.8 2006/05/21 20:12:20 tgl Exp $ --> <Chapter Id="runtime"> @@ -1318,6 +1318,35 @@ env PGOPTIONS='-c geqo=off' psql </listitem> </varlistentry> + <varlistentry id="guc-backslash-quote" xreflabel="backslash_quote"> + <term><varname>BACKSLASH_QUOTE</varname> (<type>string</type>)</term> + <indexterm><primary>strings</><secondary>backslash quotes</></> + <indexterm> + <primary><varname>backslash_quote</> configuration parameter</primary> + </indexterm> + <listitem> + <para> + This controls whether a quote mark can be represented by + <literal>\'</> in a string literal. The preferred, SQL-standard way + to represent a quote mark is by doubling it (<literal>''</>) but + <productname>PostgreSQL</> has historically also accepted + <literal>\'</>. However, use of <literal>\'</> creates security risks + because in some client character set encodings, there are multibyte + characters in which the last byte is numerically equivalent to ASCII + <literal>\</>. If client-side code does escaping incorrectly then a + SQL-injection attack is possible. This risk can be prevented by + making the server reject queries in which a quote mark appears to be + escaped by a backslash. + The allowed values of <varname>backslash_quote</> are + <literal>on</> (allow <literal>\'</> always), + <literal>off</> (reject always), and + <literal>safe_encoding</> (allow only if client encoding does not + allow ASCII <literal>\</> within a multibyte character). + <literal>safe_encoding</> is the default setting. + </para> + </listitem> + </varlistentry> + <varlistentry> <term><varname>CLIENT_ENCODING</varname> (<type>string</type>)</term> <indexterm><primary>character set encoding</></> |