[Libpqxx-general] packages that use deprecated SQL escape functions Was: possible use of vulnerable functions in libpqxx
Robert Backhaus-pqxx
pqxx at robbak.com
Fri Oct 23 03:20:51 UTC 2009
Stephen,
Your post on "*packages that use deprecated SQL escape functions" was cross
posted to the libpqxx list.
As the post below states, libpqxx is a false positive. The references,
(mostly in configure.in) merely determine if the libpq c library around
which libpqxx is built contains PQescapeStringconn, and fall back to the
older one if an old libpq is being used, posting appropriate warnings.
So, if it is built with a recent libpq, libpqxx will not use PQescapeString.
*
On Fri, Oct 23, 2009 at 3:47 AM, Jeroen Vermeulen <jtv at xs4all.nl> wrote:
> Eugene V. Lyubimkin wrote:
>
>> Hi Jeroen,
>>
>> Debian security team prepared a list of packages [1] that use
>> mysql/postgresql
>> unsafe functions, and libpqxx3 is in this list as possible candidate.
>> Please read.
>>
>> [1]
>>
>> http://www.linux-archive.org/debian-development/383865-packages-use-deprecated-sql-escape-functions.html
>>
>
> No news there. When built against a libpq that does not have
> PQescapeStringConn, then libpqxx will still use PQescapeString. I don't
> think there's much reason for people to build libpqxx 3.0 against a libpq
> that doesn't have it.
>
> So basically, this is one of those false positives that the page mentions.
>
>
> Jeroen
> ______________________________ _________________
> Libpqxx-general mailing list
> Libpqxx-general at pgfoundry.org
> http://pgfoundry.org/mailman/listinfo/libpqxx-general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pgfoundry.org/pipermail/libpqxx-general/attachments/20091023/40f6e97f/attachment.html>
More information about the Libpqxx-general
mailing list