Escaping question

[ianshefferman]

I'm not an expert at PostgreSQL, but shouldn't backslashes also be doubled too, to prevent an attacker from escaping '' with \''?

pgmoon/pgmoon/init.moon

Line 415 in 5e3ce03

return "'#{(val\gsub "'", "''")}'"

[leafo]

Modern versions of postgres don't treat backslash as an escape character in regular string literals:

leafo=# select '\''hello';
 ?column? 
----------
 \'hello
(1 row)

leafo=# select 'hello\nhello';
   ?column?   
--------------
 hello\nhello
(1 row)

From the documentation:

If the configuration parameter standard_conforming_strings is off, then PostgreSQL recognizes backslash escapes in both regular and escape string constants. However, as of PostgreSQL 9.1, the default is on, meaning that backslash escapes are recognized only in escape string constants.

I do not mention anywhere that 9.1 or above should be used, and that the default settings should not be changed though.

[ianshefferman]

Thanks, that's pretty much what I figured. I'll be sure to use the most up-to-date version of PostgreSQL in my projects. I suppose it may be worthwhile to mention in the README that this library is designed for 9.1+.