PostgreSQL users have been put in a potentially sticky situation by a serious security flaw made public this week.The flaw allows for SQL injection attacks, and affects all versions of PostgreSQL, aside from fixed versions released this week. However, the fix, PostgreSQL developers admit, will break many users' applications.
"Six PostgreSQL programmers worked for four weeks to come up with a method to fix the vulnerability without affecting production applications," said core developer Josh Berkus in documentation published to explain the complex bug. "This was the best we could do – it leaves most users' applications untouched."
Those using Far Eastern multi-byte encodings such as SJIS, BIG5, GBK, GB18030 and UHC, are out of luck, however, and will need to rework their applications for them to work after applying the patch. Specifically, they will need to remove any nonstandard string escaping mechanisms, such as the popular "backslash-escape", or at least modify them to use SQL-standard escaping, according to Berkus.He admitted the modifications would be "painful" for many users.
Update: Josh Berkus left a comment to this post suggesting that people read the FAQ about the security fix set up here so that they know exactly what changes they need to make and whether they are in danger.