diff options
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/runtime.sgml | 31 |
1 files changed, 30 insertions, 1 deletions
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml index 547ea5af46..91b59d0f86 100644 --- a/doc/src/sgml/runtime.sgml +++ b/doc/src/sgml/runtime.sgml @@ -1,5 +1,5 @@ <!-- -$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.215.2.8 2004/04/22 08:31:36 petere Exp $ +$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.215.2.9 2006/05/21 20:11:58 tgl Exp $ --> <Chapter Id="runtime"> @@ -2396,6 +2396,35 @@ dynamic_library_path = '/usr/local/lib/postgresql:/home/my_project/lib:$libdir' </listitem> </varlistentry> + <varlistentry id="guc-backslash-quote" xreflabel="backslash_quote"> + <term><varname>backslash_quote</varname> (<type>string</type>)</term> + <indexterm><primary>strings</><secondary>backslash quotes</></> + <indexterm> + <primary><varname>backslash_quote</> configuration parameter</primary> + </indexterm> + <listitem> + <para> + This controls whether a quote mark can be represented by + <literal>\'</> in a string literal. The preferred, SQL-standard way + to represent a quote mark is by doubling it (<literal>''</>) but + <productname>PostgreSQL</> has historically also accepted + <literal>\'</>. However, use of <literal>\'</> creates security risks + because in some client character set encodings, there are multibyte + characters in which the last byte is numerically equivalent to ASCII + <literal>\</>. If client-side code does escaping incorrectly then a + SQL-injection attack is possible. This risk can be prevented by + making the server reject queries in which a quote mark appears to be + escaped by a backslash. + The allowed values of <varname>backslash_quote</> are + <literal>on</> (allow <literal>\'</> always), + <literal>off</> (reject always), and + <literal>safe_encoding</> (allow only if client encoding does not + allow ASCII <literal>\</> within a multibyte character). + <literal>safe_encoding</> is the default setting. + </para> + </listitem> + </varlistentry> + <varlistentry> <term><varname>regex_flavor</varname> (<type>string</type>)</term> <indexterm><primary>regular expressions</></> |