Hacker News new | ask | show | jobs
by icebraining 3213 days ago
How come it's impossible to properly escape user input? I get that it's hard if the format is complex, but I don't see what makes it categorically impossible, especially for a simple format like an SQL string. You just double every single quote and then surround the whole thing with single quotes.
1 comments
anton_gogolev 3213 days ago
> ...every single quote...

And then you come across \u0027 and you're screwed.

link
wruza 3212 days ago
Do you know any decent server that interprets 6-char \uxxxx sequences as part of its top-level query syntax? I mean, how do you safely pass '\u0027' literal to it anyway? If you can't, then its literals and escaping are broken by design, so it is good to know from the start of using it.

Edit: removed double backslash from literal to not confuse it with host language's escaping.

link
icebraining 3213 days ago
If you use a broken RDBMS, maybe. The standard is quite clear, and that certainly doesn't work in PortgreSQL.
link