summaryrefslogtreecommitdiff
path: root/doc/src
diff options
context:
space:
mode:
Diffstat (limited to 'doc/src')
-rw-r--r--doc/src/sgml/runtime.sgml31
1 files changed, 30 insertions, 1 deletions
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index f77ee8e035a..718e90d8f85 100644
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -1,5 +1,5 @@
<!--
-$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.147.2.7 2003/04/04 00:32:57 tgl Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.147.2.8 2006/05/21 20:12:20 tgl Exp $
-->
<Chapter Id="runtime">
@@ -1318,6 +1318,35 @@ env PGOPTIONS='-c geqo=off' psql
</listitem>
</varlistentry>
+ <varlistentry id="guc-backslash-quote" xreflabel="backslash_quote">
+ <term><varname>BACKSLASH_QUOTE</varname> (<type>string</type>)</term>
+ <indexterm><primary>strings</><secondary>backslash quotes</></>
+ <indexterm>
+ <primary><varname>backslash_quote</> configuration parameter</primary>
+ </indexterm>
+ <listitem>
+ <para>
+ This controls whether a quote mark can be represented by
+ <literal>\'</> in a string literal. The preferred, SQL-standard way
+ to represent a quote mark is by doubling it (<literal>''</>) but
+ <productname>PostgreSQL</> has historically also accepted
+ <literal>\'</>. However, use of <literal>\'</> creates security risks
+ because in some client character set encodings, there are multibyte
+ characters in which the last byte is numerically equivalent to ASCII
+ <literal>\</>. If client-side code does escaping incorrectly then a
+ SQL-injection attack is possible. This risk can be prevented by
+ making the server reject queries in which a quote mark appears to be
+ escaped by a backslash.
+ The allowed values of <varname>backslash_quote</> are
+ <literal>on</> (allow <literal>\'</> always),
+ <literal>off</> (reject always), and
+ <literal>safe_encoding</> (allow only if client encoding does not
+ allow ASCII <literal>\</> within a multibyte character).
+ <literal>safe_encoding</> is the default setting.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><varname>CLIENT_ENCODING</varname> (<type>string</type>)</term>
<indexterm><primary>character set encoding</></>