You can set standard_conforming_strings in postgresql.conf at any time and reload the config, changing the value for all active connections. That means that if a client opens a connection, and you SIGHUP postgres, and then the client issues a PQescapeStringConn, the client will get an incorrectly-escaped string. This could be a security vulnerability. Webservers which hold open connections for long periods of time could be incorrectly escaping values for long periods of time -- between the SIGHUP that changed standard_conforming_strings, and the time the connection is closed. Should we change standard_conforming_strings so that it only takes effect on new connections (or server restart, if we must)? Are there other similar settings that affect PQescapeStringConn? Regards, Jeff Davis
