Content-Length: 289924 | pFad | https://github.com/perl5-dbi/DBD-mysql/pull/457

DE Use safer quoting for placeholders by mattlaw · Pull Request #457 · perl5-dbi/DBD-mysql · GitHub
Skip to content

Use safer quoting for placeholders #457

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 3, 2025
Merged

Use safer quoting for placeholders #457

merged 1 commit into from
Jan 3, 2025

Conversation

mattlaw
Copy link

@mattlaw mattlaw commented Jan 3, 2025

Switch to mysql_real_escape_string_quote for placeholder replacement, allowing placeholders to be used when NO_BACKSLASH_ESCAPES is in effect.

Use safer quoting for placeholders
e047fc9 
Switch to mysql_real_escape_string_quote for placeholder replacement,
allowing placeholders to be used when NO_BACKSLASH_ESCAPES is in effect.
dveeden
dveeden reviewed Jan 3, 2025
View reviewed changes
@dveeden
Copy link
Collaborator

dveeden commented Jan 3, 2025
edited
Loading

What about the about ANSI_QUOTES note on https://dev.mysql.com/doc/c-api/9.1/en/mysql-real-escape-string-quote.html ? Could this cause a regression for ANSI_QUOTES with double quoted characters?

@dveeden dveeden mentioned this pull request Jan 3, 2025
Merged
@dveeden
Copy link
Collaborator

dveeden commented Jan 3, 2025

Please add any info on the usecase for this and why it would be safer etc.

So for this looks like an ok change to me.

@mattlaw
Copy link
Author

mattlaw commented Jan 3, 2025

Please add any info on the usecase for this and why it would be safer etc.

If you run t/17quote.t on the previous version of the code, you can see that NO_BACKSLASH_ESCAPES causes placeholder replacement to produce invalid query syntax (effectively the ? placeholder is replaced by a single ' because mysql_real_escape_string returns -1 and rewinds the pointer).

ok 20 - NO_BACKSLASH_ESCAPES foo
DBD::mysql::db selectrow_array failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 at t/17quote.t line 34.
DBD::mysql::db selectrow_array failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 at t/17quote.t line 34.
# Looks like your test exited with 255 just after 20.

@mattlaw
Copy link
Author

mattlaw commented Jan 3, 2025

What about the about ANSI_QUOTES note on https://dev.mysql.com/doc/c-api/9.1/en/mysql-real-escape-string-quote.html ? Could this cause a regression for ANSI_QUOTES with double quoted characters?

In this context, we're never processing a double-quoted string. We've added single quotes ourselves for quoting purposes.

@dveeden dveeden merged commit 6d9f97c into perl5-dbi:master Jan 3, 2025
7 of 8 checks passed
@dveeden dveeden added this to the 5.011 milestone Jan 3, 2025
@mattlaw mattlaw deleted the no_backslash_escapes branch January 3, 2025 14:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dveeden dveeden dveeden left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
5.011
Development

Successfully merging this pull request may close these issues.
2 participants
@mattlaw @dveeden








ApplySandwichStrip

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier!      Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

Fetched URL: https://github.com/perl5-dbi/DBD-mysql/pull/457

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy