Disable the use of Unicode escapes in string constants (U&'') when

standard_conforming_strings is not on, for security reasons.

1 files changed, 12 insertions, 1 deletions

diff --git a/doc/src/sgml/syntax.sgml b/doc/src/sgml/syntax.sgml
index 48bf5a4feb8..cf929f0b72e 100644
--- a/doc/src/sgml/syntax.sgml
+++ b/doc/src/sgml/syntax.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/syntax.sgml,v 1.131 2009/04/27 16:27:36 momjian Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/syntax.sgml,v 1.132 2009/05/05 18:32:17 petere Exp $ -->
 
 <chapter id="sql-syntax">
  <title>SQL Syntax</title>
@@ -500,6 +500,17 @@ U&amp;'d!0061t!+000061' UESCAPE '!'
     </para>
 
     <para>
+     Also, the Unicode escape syntax for string constants only works
+     when the configuration
+     parameter <xref linkend="guc-standard-conforming-strings"> is
+     turned on.  This is because otherwise this syntax could confuse
+     clients that parse the SQL statements to the point that it could
+     lead to SQL injections and similar security issues.  If the
+     parameter is set to off, this syntax will be rejected with an
+     error message.
+    </para>
+
+    <para>
      To include the escape character in the string literally, write it
      twice.
     </para>