light of the limitations listed below.

</para>

<warning>

<para>

Restoring a dump causes the destination to execute arbitrary code of the

source superusers' choice. Partial dumps and partial restores do not limit

that. If the source superusers are not trusted, the dumped SQL statements

must be inspected before restoring. Non-plain-text dumps can be inspected

by using <application>pg_restore</application>'s <option>--file</option>

option. Note that the client running the dump and restore need not trust

the source or destination superusers.

</para>

</warning>

</refsect1>

<refsect1 id="pg-dump-options">

</listitem>

</varlistentry>

<varlistentry>

<term><option>--restrict-key=<replaceable class="parameter">restrict_key</replaceable></option></term>

<listitem>

<para>

Use the provided string as the <application>psql</application>

<command>\restrict</command> key in the dump output. This can only be

specified for plain-text dumps, i.e., when <option>--format</option> is

set to <literal>plain</literal> or the <option>--format</option> option

is omitted. If no restrict key is specified,

<application>pg_dump</application> will generate a random one as

needed. Keys may contain only alphanumeric characters.

</para>

<para>

This option is primarily intended for testing purposes and other

scenarios that require repeatable output (e.g., comparing dump files).

It is not recommended for general use, as a malicious server with

advance knowledge of the key may be able to inject arbitrary code that

will be executed on the machine that runs

<application>psql</application> with the dump output.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term><option>--rows-per-insert=<replaceable class="parameter">nrows</replaceable></option></term>

<listitem>

linkend="libpq-pgpass"/> for more information.

</para>

<warning>

<para>

Restoring a dump causes the destination to execute arbitrary code of the

source superusers' choice. Partial dumps and partial restores do not limit

that. If the source superusers are not trusted, the dumped SQL statements

must be inspected before restoring. Note that the client running the dump

and restore need not trust the source or destination superusers.

</para>

</warning>

</refsect1>

<refsect1>

</listitem>

</varlistentry>

<varlistentry>

<term><option>--restrict-key=<replaceable class="parameter">restrict_key</replaceable></option></term>

<listitem>

<para>

Use the provided string as the <application>psql</application>

<command>\restrict</command> key in the dump output. If no restrict

key is specified, <application>pg_dumpall</application> will generate a

random one as needed. Keys may contain only alphanumeric characters.

</para>

<para>

This option is primarily intended for testing purposes and other

scenarios that require repeatable output (e.g., comparing dump files).

It is not recommended for general use, as a malicious server with

advance knowledge of the key may be able to inject arbitrary code that

will be executed on the machine that runs

<application>psql</application> with the dump output.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term><option>--rows-per-insert=<replaceable class="parameter">nrows</replaceable></option></term>

<listitem>

<application>pg_restore</application> will not be able to load the data

using <command>COPY</command> statements.

</para>

<warning>

<para>

Restoring a dump causes the destination to execute arbitrary code of the

source superusers' choice. Partial dumps and partial restores do not limit

that. If the source superusers are not trusted, the dumped SQL statements

must be inspected before restoring. Non-plain-text dumps can be inspected

by using <application>pg_restore</application>'s <option>--file</option>

option. Note that the client running the dump and restore need not trust

the source or destination superusers.

</para>

</warning>

</refsect1>

<refsect1 id="app-pgrestore-options">

</listitem>

</varlistentry>

<varlistentry>

<term><option>--restrict-key=<replaceable class="parameter">restrict_key</replaceable></option></term>

<listitem>

<para>

Use the provided string as the <application>psql</application>

<command>\restrict</command> key in the dump output. This can only be

specified for SQL script output, i.e., when the <option>--file</option>

option is used. If no restrict key is specified,

<application>pg_restore</application> will generate a random one as

needed. Keys may contain only alphanumeric characters.

</para>

<para>

This option is primarily intended for testing purposes and other

scenarios that require repeatable output (e.g., comparing dump files).

It is not recommended for general use, as a malicious server with

advance knowledge of the key may be able to inject arbitrary code that

will be executed on the machine that runs

<application>psql</application> with the dump output.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term><option>--section=<replaceable class="parameter">sectionname</replaceable></option></term>

<listitem>

<application>pg_upgrade</application> supports upgrades from 9.2.X and later to the current

major release of <productname>PostgreSQL</productname>, including snapshot and beta releases.

</para>

<warning>

<para>

Upgrading a cluster causes the destination to execute arbitrary code of the

source superusers' choice. Ensure that the source superusers are trusted

before upgrading.

</para>

</warning>

</refsect1>

<refsect1>

</varlistentry>

<varlistentry id="app-psql-meta-command-restrict">

<term><literal>\restrict <replaceable class="parameter">restrict_key</replaceable></literal></term>

<listitem>

<para>

Enter "restricted" mode with the provided key. In this mode, the only

allowed meta-command is <command>\unrestrict</command>, to exit

restricted mode. The key may contain only alphanumeric characters.

</para>

<para>

This command is primarily intended for use in plain-text dumps

generated by <application>pg_dump</application>,

<application>pg_dumpall</application>, and

<application>pg_restore</application>, but it may be useful elsewhere.

</para>

</listitem>

</varlistentry>

<varlistentry id="app-psql-meta-command-s">

<term><literal>\s [ <replaceable class="parameter">filename</replaceable> ]</literal></term>

<listitem>

</varlistentry>

<varlistentry id="app-psql-meta-command-unrestrict">

<term><literal>\unrestrict <replaceable class="parameter">restrict_key</replaceable></literal></term>

<listitem>

<para>

Exit "restricted" mode (i.e., where all other meta-commands are

blocked), provided the specified key matches the one given to

<command>\restrict</command> when restricted mode was entered.

</para>

<para>

This command is primarily intended for use in plain-text dumps

generated by <application>pg_dump</application>,

<application>pg_dumpall</application>, and

<application>pg_restore</application>, but it may be useful elsewhere.

</para>

</listitem>

</varlistentry>

<varlistentry id="app-psql-meta-command-unset">

<term><literal>\unset <replaceable class="parameter">name</replaceable></literal></term>

$pitr1->command_ok(

[

'pg_dumpall',

'--restrict-key=test',

'--no-sync',

'--no-unlogged-table-data',

'--file'=>$dump1,

$pitr2->command_ok(

[

'pg_dumpall',

'--restrict-key=test',

'--no-sync',

'--no-unlogged-table-data',

'--file'=>$dump2,

staticconstcharrestrict_chars[]="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";

staticboolparseAclItem(constchar*item,constchar*type,

constchar*name,constchar*subname,intremoteVersion,

pg_fatal("directory \"%s\" is not empty",dirname);

}

}

generate_restrict_key(void)

{

uint8buf[64];

char*ret=palloc(sizeof(buf));

if (!pg_strong_random(buf,sizeof(buf)))

returnNULL;

for (inti=0;i<sizeof(buf)-1;i++)

{

uint8idx=buf[i] %strlen(restrict_chars);

ret[i]=restrict_chars[idx];

}

ret[sizeof(buf)-1]='\0';

returnret;

}

valid_restrict_key(constchar*restrict_key)

{

restrict_key[0]!='\0'&&

strspn(restrict_key,restrict_chars)==strlen(restrict_key);

}

PQExpBufferbuf);

externvoidcreate_or_open_dir(constchar*dirname);

externchar*generate_restrict_key(void);

externboolvalid_restrict_key(constchar*restrict_key);

booldumpSchema;

booldumpData;

booldumpStatistics;

char*restrict_key;

}RestoreOptions;

booldumpSchema;

booldumpData;

booldumpStatistics;

char*restrict_key;

}DumpOptions;

dopt->include_everything=ropt->include_everything;

dopt->enable_row_security=ropt->enable_row_security;

dopt->sequence_data=ropt->sequence_data;

dopt->restrict_key=ropt->restrict_key ?pg_strdup(ropt->restrict_key) :NULL;

returndopt;

}

ahprintf(AH,"--\n-- PostgreSQL database dump\n--\n\n");

if (ropt->restrict_key)

ahprintf(AH,"\\restrict %s\n\n",ropt->restrict_key);

if (AH->archiveRemoteVersion)

ahprintf(AH,"-- Dumped from database version %s\n",

AH->archiveRemoteVersion);

ahprintf(AH,"--\n-- PostgreSQL database dump complete\n--\n\n");

if (ropt->restrict_key)

ahprintf(AH,"\\unrestrict %s\n\n",ropt->restrict_key);

{

PQExpBufferDataconnectbuf;

RestoreOptions*ropt=AH->public.ropt;

ahprintf(AH,"\\unrestrict %s\n",ropt->restrict_key);

initPQExpBuffer(&connectbuf);

appendPsqlMetaConnect(&connectbuf,dbname);

ahprintf(AH,"%s\n",connectbuf.data);

ahprintf(AH,"%s",connectbuf.data);

termPQExpBuffer(&connectbuf);

ahprintf(AH,"\\restrict %s\n\n",ropt->restrict_key);

}