[Dbix-class] Escaping placeholders

[Tim Bunce]

On Sat, Dec 20, 2014 at 05:35:55PM +0100, Alexander Foken wrote:
> On 20.12.2014 15:38, Tim Bunce wrote:
> >Can you, or anyone else, think of any situation where a backslash before
> >a ? or :foo (or even $1) style placeholder might be valid SQL?
> 
> I found two situations for PostgreSQL:
> 
> (1) PostgreSQL allows almost any character as escape character in
> Unicode string constants (<http://www.postgresql.org/docs/current/static/sql-syntax-lexical.html#SQL-SYNTAX-STRINGS-UESCAPE>).
> With that, I can construct  an expression containing \:foo that is
> valid SQL as understood by PostgreSQL:
> 
>     U&'foo\:AAAAbar' UESCAPE ':'
> 
> This expression represents the string foo\Xbar, where X is the
> Unicode character U+AAAA ("TAI VIET LETTER LOW VO").

I don't think that'll be a problem because the driver code that parses
the statement looking for placeholders will skip over quoted strings.

> (2) PostgreSQL also allows "Dollar quoting" (<http://www.postgresql.org/docs/current/static/sql-syntax-lexical.html#SQL-SYNTAX-DOLLAR-QUOTING>).
> With that, I can construct an expression containing \$1 that is
> valid SQL as understood by PostgreSQL:
> 
>     $1$foo\$1$
> 
> This expression represents the string foo\, quoted by dollar signs
> using the character 1 as tag.

I'm not sure if the driver code that parses statements in DBD::Pg
handles dollar quoting. I presume so. In which case this shouldn't be a
problem either for the same reason as above.

> >So far no one has come up with one, so I'm getting more comfortable
> >with the idea that a backslash before a placeholder is a safe change.
> >I.e., there's a near-zero risk that upgrading a DBI driver to support
> >backslashes would cause breakage in existing code.
> 
> Do you plan to escape the escape character, i.e. use a double
> backslash at DBI level to represent a single backslash at database
> level?

That's a good question. I'm not sure. I think the answer has to be no.
I'd welcome any input on that.

Tim.