Binary data corresponding to PostgreSQL's "BYTEA" binary-string type. More...
Functions | |
PGSTD::string | pqxx::transaction_base::esc (const char str[]) const |
Escape string for use as SQL string literal in this transaction. More... | |
PGSTD::string | pqxx::transaction_base::esc (const char str[], size_t maxlen) const |
Escape string for use as SQL string literal in this transaction. More... | |
PGSTD::string | pqxx::transaction_base::esc (const PGSTD::string &str) const |
Escape string for use as SQL string literal in this transaction. More... | |
PGSTD::string | pqxx::connection_base::esc (const char str[]) |
Escape string for use as SQL string literal on this connection. More... | |
PGSTD::string | pqxx::connection_base::esc (const char str[], size_t maxlen) |
Escape string for use as SQL string literal on this connection. More... | |
PGSTD::string | pqxx::connection_base::esc (const PGSTD::string &str) |
Escape string for use as SQL string literal on this connection. More... | |
PGSTD::string | pqxx::transaction_base::esc_raw (const unsigned char str[], size_t len) const |
Escape binary data for use as SQL string literal in this transaction. More... | |
PGSTD::string | pqxx::transaction_base::esc_raw (const PGSTD::string &) const |
Escape binary data for use as SQL string literal in this transaction. More... | |
PGSTD::string | pqxx::connection_base::esc_raw (const unsigned char str[], size_t len) |
Escape binary string for use as SQL string literal on this connection. More... | |
PGSTD::string PQXX_LIBEXPORT | escape_binary (const PGSTD::string &bin) |
Escape binary string for inclusion in SQL. More... | |
PGSTD::string PQXX_LIBEXPORT | pqxx::escape_binary (const PGSTD::string &bin) |
Escape binary string for inclusion in SQL. More... | |
PGSTD::string PQXX_LIBEXPORT | pqxx::escape_binary (const char bin[]) |
Escape binary string for inclusion in SQL. More... | |
PGSTD::string PQXX_LIBEXPORT | escape_binary (const char bin[]) |
Escape binary string for inclusion in SQL. More... | |
PGSTD::string PQXX_LIBEXPORT | pqxx::escape_binary (const char bin[], size_t len) |
Escape binary string for inclusion in SQL. More... | |
PGSTD::string PQXX_LIBEXPORT | escape_binary (const char bin[], size_t len) |
Escape binary string for inclusion in SQL. More... | |
PGSTD::string PQXX_LIBEXPORT | pqxx::escape_binary (const unsigned char bin[]) |
Escape binary string for inclusion in SQL. More... | |
PGSTD::string PQXX_LIBEXPORT | escape_binary (const unsigned char bin[]) |
Escape binary string for inclusion in SQL. More... | |
PGSTD::string PQXX_LIBEXPORT | pqxx::escape_binary (const unsigned char bin[], size_t len) |
Escape binary string for inclusion in SQL. More... | |
PGSTD::string PQXX_LIBEXPORT | escape_binary (const unsigned char bin[], size_t len) |
Escape binary string for inclusion in SQL. More... | |
template<typename T > | |
PGSTD::string | pqxx::transaction_base::quote (const T &t) const |
Represent object as SQL string, including quoting & escaping. More... | |
template<typename T > | |
PGSTD::string | pqxx::connection_base::quote (const T &t) |
Represent object as SQL string, including quoting & escaping. More... | |
PGSTD::string | pqxx::connection_base::quote (const binarystring &) |
PGSTD::string | pqxx::transaction_base::quote_name (const PGSTD::string &identifier) const |
Escape an SQL identifier for use in a query. More... | |
PGSTD::string | pqxx::connection_base::quote_name (const PGSTD::string &identifier) |
Escape and quote an SQL identifier for use in a query. More... | |
PGSTD::string | pqxx::transaction_base::quote_raw (const unsigned char str[], size_t len) const |
Binary-escape and quote a binarystring for use as an SQL constant. More... | |
PGSTD::string | pqxx::transaction_base::quote_raw (const PGSTD::string &str) const |
PGSTD::string | pqxx::connection_base::quote_raw (const unsigned char str[], size_t len) |
Escape and quote a string of binary data. More... | |
Binary data corresponding to PostgreSQL's "BYTEA" binary-string type.
Use these functions to "groom" user-provided strings before using them in your SQL statements.
This class represents a binary string as stored in a field of type bytea. The raw value returned by a bytea field contains escape sequences for certain characters, which are filtered out by binarystring.
Internally a binarystring is zero-terminated, but it may also contain zero bytes, just like any other byte value. So don't assume that it can be treated as a C-style string unless you've made sure of this yourself.
The binarystring retains its value even if the result it was obtained from is destroyed, but it cannot be copied or assigned.
To convert the other way, i.e. from a raw series of bytes to a string suitable for inclusion as bytea values in your SQL, use the transaction's esc_raw() functions.
This reduces the chance of failures when users type unexpected characters, but more importantly, it helps prevent so-called SQL injection attacks.
To understand what SQL injection vulnerabilities are and why they should be prevented, imagine you use the following SQL statement somewhere in your program:
This shows a logged-in user important information on all accounts he is authorized to view. The userid and password strings are variables entered by the user himself.
Now, if the user is actually an attacker who knows (or can guess) the general shape of this SQL statement, imagine he enters the following password:
Does that make sense to you? Probably not. But if this is inserted into the SQL string by the C++ code above, the query becomes:
Is this what you wanted to happen? Probably not! The neat allowed_to_see() clause is completely circumvented by the "<tt>OR ('x' = 'x')</tt>" clause, which is always true
. Therefore, the attacker will get to see all accounts in the database!
To prevent this from happening, use the transaction's esc() function:
Now, the quotes embedded in the attacker's string will be neatly escaped so they can't "break out" of the quoted SQL string they were meant to go into:
If you look carefully, you'll see that thanks to the added escape characters (a single-quote is escaped in SQL by doubling it) all we get is a very strange-looking password string–but not a change in the SQL statement.
|
inline |
Escape string for use as SQL string literal in this transaction.
|
inline |
Escape string for use as SQL string literal in this transaction.
|
inline |
Escape string for use as SQL string literal in this transaction.
PGSTD::string pqxx::connection_base::esc | ( | const char | str[] | ) |
Escape string for use as SQL string literal on this connection.
PGSTD::string pqxx::connection_base::esc | ( | const char | str[], |
size_t | maxlen | ||
) |
Escape string for use as SQL string literal on this connection.
PGSTD::string pqxx::connection_base::esc | ( | const PGSTD::string & | str | ) |
Escape string for use as SQL string literal on this connection.
|
inline |
Escape binary data for use as SQL string literal in this transaction.
Raw, binary data is treated differently from regular strings. Binary strings are never interpreted as text, so they may safely include byte values or byte sequences that don't happen to represent valid characters in the character encoding being used.
The binary string does not stop at the first zero byte, as is the case with textual strings. Instead, they may contain zero bytes anywhere. If it happens to contain bytes that look like quote characters, or other things that can disrupt their use in SQL queries, they will be replaced with special escape sequences.
PGSTD::string pqxx::transaction_base::esc_raw | ( | const PGSTD::string & | ) | const |
Escape binary data for use as SQL string literal in this transaction.
PGSTD::string pqxx::connection_base::esc_raw | ( | const unsigned char | str[], |
size_t | len | ||
) |
Escape binary string for use as SQL string literal on this connection.
|
related |
Escape binary string for inclusion in SQL.
PGSTD::string PQXX_LIBEXPORT escape_binary | ( | const PGSTD::string & | bin | ) |
Escape binary string for inclusion in SQL.
PGSTD::string PQXX_LIBEXPORT escape_binary | ( | const char | bin[] | ) |
Escape binary string for inclusion in SQL.
|
related |
Escape binary string for inclusion in SQL.
PGSTD::string PQXX_LIBEXPORT escape_binary | ( | const char | bin[], |
size_t | len | ||
) |
Escape binary string for inclusion in SQL.
|
related |
Escape binary string for inclusion in SQL.
PGSTD::string PQXX_LIBEXPORT escape_binary | ( | const unsigned char | bin[] | ) |
Escape binary string for inclusion in SQL.
|
related |
Escape binary string for inclusion in SQL.
PGSTD::string PQXX_LIBEXPORT escape_binary | ( | const unsigned char | bin[], |
size_t | len | ||
) |
Escape binary string for inclusion in SQL.
|
related |
Escape binary string for inclusion in SQL.
|
inline |
Represent object as SQL string, including quoting & escaping.
Nulls are recognized and represented as SQL nulls.
|
inline |
Represent object as SQL string, including quoting & escaping.
Nulls are recognized and represented as SQL nulls.
References pqxx::to_string().
PGSTD::string pqxx::connection_base::quote | ( | const binarystring & | ) |
|
inline |
Escape an SQL identifier for use in a query.
PGSTD::string pqxx::connection_base::quote_name | ( | const PGSTD::string & | identifier | ) |
Escape and quote an SQL identifier for use in a query.
|
inline |
Binary-escape and quote a binarystring for use as an SQL constant.
PGSTD::string pqxx::transaction_base::quote_raw | ( | const PGSTD::string & | str | ) | const |
PGSTD::string pqxx::connection_base::quote_raw | ( | const unsigned char | str[], |
size_t | len | ||
) |
Escape and quote a string of binary data.