An attacker able to submit crafted strings to an
application that will embed those strings in SQL commands
can use invalidly-encoded multibyte characters to bypass
standard string-escaping methods, resulting in possible
injection of hostile SQL commands into the database. The
attacks covered here work in any multibyte encoding.
The widely-used practice of escaping ASCII single quote
"'" by turning it into "\'" is unsafe when operating in
multibyte encodings that allow 0x5c (ASCII code for
backslash) as the trailing byte of a multibyte character;
this includes at least SJIS, BIG5, GBK, GB18030, and UHC.
An application that uses this conversion while embedding
untrusted strings in SQL commands is vulnerable to
SQL-injection attacks if it communicates with the server in
one of these encodings. While the standard client libraries
used with PostgreSQL have escaped "'" in the safe,
SQL-standard way of "''" for some time, the older practice
remains common.