Fix string escaping when standard_conforming_strings is 'off'

Ignore-this: 2f27bc24aa303a41fea7cd469dac2ac4

PostGreSQL supports two different string escaping syntax:
- the standard SQL escape convention is to put string literals between
  single quotes, and double them inside: 'foo''bar' for "foo'bar"
- the non-standard "C-style escaping" allows usual backquote escaping
  of \n,\r,\\ etc. when the literal is marked with a E:
  E'foo\'bar'. Note that both "\n" and "\\n" are then interpreted as
  the end-of-line character.

When the standard_conforming_strings flag is off, which is the default
value for PostGreSQL before 9.1, C-style escaping is also allowed in
standard string literals (without E); this means that the string
literal 'foo\', while accepted by the SQL standard, is
a non-terminated string literal when interpreted by old versions of
PostgreSQL, which might raise SQL injections concerns.

The fix is to use E everywhere and protect against all
backslashes. This forces us into the relatively nonsensical
non-standard mode, but at least the behavior is consistent across all
PostgreSQL versions and configurations.

darcs-hash:20121219154827-a85e5-c1ab1535f67bdaf073517c373f54b40019d025fd

Author: kit-ty-kate

src/sql_printers.ml

@@ -36,6 +36,8 @@ let escape_string s =
   String.iter (function
     | '\'' ->
       Buffer.add_char b '\''; Buffer.add_char b '\''
+    | '\\' ->
+      Buffer.add_char b '\\'; Buffer.add_char b '\\'
     | c -> Buffer.add_char b c)
     s;
   Buffer.contents b
@@ -150,7 +152,7 @@ and string_of_table_name = function
   | (None, table) -> keyword_safe table
   | (Some schema, table) -> sprintf "%s.%s" (keyword_safe schema) (keyword_safe table)
 and string_of_atom =
-  let quote printer value = sprintf "'%s'" (printer value) in
+  let quote printer value = sprintf "E'%s'" (printer value) in
   function
     | Bool b -> macaque_string_of_bool b
     | Int16 i -> PGOCaml.string_of_int16 i