| > but thanks to the vulnerable PQescapeString(), the following user_input would fuck it up Nope. To quote: https://www.rapid7.com/blog/post/2025/02/13/cve-2025-1094-po... > Because of how PostgreSQL string escaping routines handle invalid UTF-8 characters, in combination with how invalid byte sequences within the invalid UTF-8 characters are processed by psql If you just pass it to postgres over a normal query, postgres will reject an invalid byte sequence in the query with an error, refuse to even parse the query, and thus you won't get a SQL injection. It's just that psql didn't hard-error on invalid utf-8, even though postgres did. That's why the escape function was suitable for postgres, both the escape function and postgres's query parser assume invalid byte sequences are, you know, invalid. > For parametrized queries, params don't go through serialization because they don't need to hit the parser, there's no "escaping" whatsoever. You're right of course, I used imprecise language that everyone understands, and you're choosing to read critically in order to be combative. You don't have to be so combative. |
> I used imprecise language that everyone understands, and you're choosing to read critically in order to be combative.
No, your "imprecise language" is a fundamental and quite dangerous misunderstanding that could easily lead to more vulnerabilities like this one ("PQexecParams = PQexec + PQescapeString, amiright? I'll just use the latter"). Maybe you didn't misunderstand yourself, maybe you did, but it's 100% misleading for readers not familiar with db internals.