This project is archived and is in readonly mode.

#2547 ✓resolved
Eugene Pimenov

PostgreSQL adapter: quote_string is not thread safe

Reported by Eugene Pimenov | April 23rd, 2009 @ 10:51 AM | in 2.x

PostgreSQL adapter calls PGconn.escape class method which is not thread safe. Should call PGconn#escape instance method which is thread safe. Simple as that.

The same goes with escape_bytea. There's no PQunescapeByteaConn, so I assume unescpae_bytea is thread safe.

The problem exists at least in 2.2.2+.

Comments and changes to this ticket

  • Max Lapshin

    Max Lapshin April 27th, 2009 @ 03:04 PM

    • Assigned user set to “Tarmo Tänav”

    Eugene, where is written, that PGconn.escape is unsafe?

  • Eugene Pimenov

    Eugene Pimenov April 27th, 2009 @ 03:12 PM

    >> puts $$
    >> PGconn.escape('test')
    => "test"
    => "test"
     sudo dtrace -n 'pid94100::PQescapeString:entry { printf("it called me\n") } pid94100::PQescapeStringConn:entry { printf("it called me\n") }'
    dtrace: description 'pid94100::PQescapeString:entry ' matched 2 probes
    CPU     ID                    FUNCTION:NAME
      1  22323             PQescapeString:entry it called me
      0  22324         PQescapeStringConn:entry it called me

    PQescapeString can be used safely in single-threaded client programs that work with only one PostgreSQL connection at a time (in this case it can find out what it needs to know "behind the scenes"). In other contexts it is a security hazard and should be avoided in favor of PQescapeStringConn.
  • Max Lapshin

    Max Lapshin April 27th, 2009 @ 03:33 PM

    • Tag changed from activecord, database, escape, escaping, patch, postgres, postgresql to activecord, bug, database, escape, escaping, patch, postgres, postgresql

    +1 This patch works for me, all test passed and it seems to be rather good.

  • Michael Koziarski

    Michael Koziarski June 9th, 2009 @ 09:13 AM

    • State changed from “new” to “resolved”

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href=""></a>