GOMODULES
/
pgx
mirror of https://github.com/jackc/pgx.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
3,866 Commits
61 Branches
101 Tags
7.9 MiB
Commit Graph

32 Commits (63422c7d6cfe092af402f48e16729acd1e3bae1c)

Author SHA1 Message Date
merlin da0315d1a4
optimisations of quote functions by @sean- 2024-12-28 13:31:09 +02:00
merlin 120c89fe0d
fix preallocations of quoted string 2024-12-28 13:31:09 +02:00
merlin 057937db27
add prefix to quoters tests 2024-12-28 13:31:09 +02:00
merlin 47cbd8edb8
drop too large values from memory pools 2024-12-28 13:31:09 +02:00
merlin 90a77b13b2
add docs to sanitize tests 2024-12-28 13:31:08 +02:00
merlin 59d6aa87b9
rework QuoteString and QuoteBytes as append-style 2024-12-28 13:31:08 +02:00
merlin 39ffc8b7a4
add lexer and query pools 
use lexer pool
 2024-12-28 13:31:08 +02:00
merlin c4c1076d28
add FuzzQuoteString and FuzzQuoteBytes 2024-12-28 13:31:08 +02:00
merlin 4293b25262
decrease number of samples in go benchmark 2024-12-28 13:31:08 +02:00
merlin ea1e13a660
quoteString 2024-12-28 13:31:08 +02:00
merlin 58d4c0c94f
quoteBytes 
check new quoteBytes
 2024-12-28 13:31:08 +02:00
merlin 1752f7b4c1
docs 2024-12-28 13:31:08 +02:00
merlin ee718a110d
append AvailableBuffer 2024-12-28 13:31:08 +02:00
merlin 546ad2f4e2
shared bytestring 2024-12-28 13:31:08 +02:00
merlin efc2c9ff44
buf pool 2024-12-28 13:31:08 +02:00
merlin aabed18db8
add benchmark tool 
fix benchmmark script

fix benchmark script
 2024-12-28 13:31:08 +02:00
merlin afa974fb05
base case 
make benchmark more extensive

add quote to string

add BenchmarkSanitizeSQL
 2024-12-28 13:31:08 +02:00
Jack Christensen 49b6aad319 Use spaces instead of parentheses for SQL sanitization 
This still solves the problem of negative numbers creating a line
comment, but this avoids breaking edge cases such as `set foo to $1`
where the substition is taking place in a location where an arbitrary
expression is not allowed.

https://github.com/jackc/pgx/issues/1928
 2024-03-09 12:09:42 -06:00
Jack Christensen c543134753 SQL sanitizer wraps arguments in parentheses 
pgx v5 was not vulnerable to CVE-2024-27289 do to how the sanitizer was
being called. But the sanitizer itself still had the underlying issue.
This commit ports the fix from pgx v4 to v5 to ensure that the issue
does not emerge if pgx uses the sanitizer differently in the future.
 2024-03-04 09:09:42 -06:00
maksymnevajdev 319c3172f2 fix panic in prepared sql 2023-12-01 18:34:41 -06:00
Jack Christensen ba4bbf92af Fix query sanitizer 
...when query text has contains Unicode replacement character.
uft8.RuneError actually is a valid character.
 2022-11-14 18:32:26 -06:00
Jack Christensen 1f4b34f932 Merge branch 'master' into v5-dev 2022-04-23 11:05:24 -05:00
Jack Christensen f14fb3d692 Replace interface{} with any 2022-04-09 09:12:55 -05:00
Andrew Rusakow a86ece025c Fix single line comment for line endings in mac when sanitizing. 2022-03-04 18:17:40 -06:00
Jack Christensen 72cc95e4dd Bump module version to v5 2021-12-11 13:29:03 -06:00
Jack Christensen a49f4bb135 Use errors instead of golang.org/x/xerrors 2021-03-25 09:55:12 -04:00
Rusakow Andrew 292539a590 Add comment support when sanitizing SQL queries 2021-03-13 07:31:56 -06:00
Andrew Nicoll 816e95d3ee sanatize time to within microsecond accuracy 2020-03-27 13:03:36 +00:00
Jack Christensen 29f02807b0 Restore simple protocol support 2019-05-20 20:36:03 -05:00
Jack Christensen c53c9e6eb5 Remove simple protocol and one round trip query options 
It is impossible to guarantee that the a query executed with the simple
protocol will behave the same as with the extended protocol. This is
because the normal pgx path relies on knowing the OID of query
parameters. Without this encoding a value can only be determined by the
value instead of the combination of value and PostgreSQL type. For
example, how should a []int32 be encoded? It might be encoded into a
PostgreSQL int4[] or json.

Removal also simplifies the core query path.

The primary reason for the simple protocol is for servers like PgBouncer
that may not be able to support normal prepared statements. After
further research it appears that issuing a "flush" instead "sync" after
preparing the unnamed statement would allow PgBouncer to work.

The one round trip mode can be better handled with prepared statements.

As a last resort, all original server functionality can still be accessed by
dropping down to PgConn.
 2019-04-13 11:39:01 -05:00
Jack Christensen 8f4178b3d3 Use github.com/pkg/errors 2017-06-04 21:30:03 -05:00
Jack Christensen 7b1f461ec3 Add simple protocol suuport with (Query|Exec)Ex 2017-04-10 08:58:51 -05:00