[PATCH] change sql string escaping
Posted: Fri Jan 08, 2010 1:58 pm
This is a multi-part message in MIME format.
--------------080804030807040607040209
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Hi,
currently the string escaping sequence for ndo2db tries to escape
everything possible for the upcoming insert/update into the rdbm. This
is rather useless regarding the fact that most of the escaped characters
do not harm the query within a quoted string.
Only a single quote must be escaped by another single quote to let the
rdbm handle that escaping. All other escape sequences are not needed in
between a quoted string.
e.g.
freddy's host
'freddy's host' => without escaped single quote interpreted as: 'freddy'
error query failed
'freddy''s host' => with escaped single quote query does not fail and
everything is fine
This escaping method is true for Oracle, Postgres and MySQL (all three
tested ok with IDOUtils). Maybe it will be patched to NDOUtils for any
future updates when working with more than one rdbm - no more worries
about that.
The attached patch matches against the git converted NDOUtils repository.
Kind regards,
Michael
--------------080804030807040607040209
Content-Type: text/x-diff;
name="0001-change-sql-string-escaping.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="0001-change-sql-string-escaping.patch"
From 5d1e6659f2992029125af6a1d2e453fc7d3f85c5 Mon Sep 17 00:00:00 2001
From: Michael Friedrich
Date: Fri, 8 Jan 2010 14:12:35 +0100
Subject: [PATCH] change sql string escaping
only ' must be escaped using '' all other characters
are handled correctly by rdbms like mysql, pgsql, oracle
---
src/db.c | 10 ++--------
1 files changed, 2 insertions(+), 8 deletions(-)
diff --git a/src/db.c b/src/db.c
index e06afc1..6455565 100644
--- a/src/db.c
+++ b/src/db.c
@@ -472,14 +472,8 @@ char *ndo2db_db_escape_string(ndo2db_idi *idi, char *buf){
/* escape characters */
for(x=0,y=0;xdbinfo.server_type==NDO2DB_DBSERVER_MYSQL){
- if(buf[x]=='\'' || buf[x]=='\"' || buf[x]=='*' || buf[x]=='\\' || buf[x]=='$' || buf[x]=='?' || buf[x]=='.' || buf[x]=='^' || buf[x]=='+' || buf[x]=='[' || buf[x]==']' || buf[x]=='(' || buf[x]==')')
- newbuf[y++]='\\';
- }
- else if(idi->dbinfo.server_type==NDO2DB_DBSERVER_PGSQL){
- if(! (isspace(buf[x]) || isalnum(buf[x]) || (buf[x]=='_')) )
- newbuf[y++]='\\';
- }
+ if(buf[x]=='\'' )
+ newbuf[y++]='\'';
newbuf[y++]=buf[x];
}
--
1.5.5.6
--------------080804030807040607040209--
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
--------------080804030807040607040209
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Hi,
currently the string escaping sequence for ndo2db tries to escape
everything possible for the upcoming insert/update into the rdbm. This
is rather useless regarding the fact that most of the escaped characters
do not harm the query within a quoted string.
Only a single quote must be escaped by another single quote to let the
rdbm handle that escaping. All other escape sequences are not needed in
between a quoted string.
e.g.
freddy's host
'freddy's host' => without escaped single quote interpreted as: 'freddy'
error query failed
'freddy''s host' => with escaped single quote query does not fail and
everything is fine
This escaping method is true for Oracle, Postgres and MySQL (all three
tested ok with IDOUtils). Maybe it will be patched to NDOUtils for any
future updates when working with more than one rdbm - no more worries
about that.
The attached patch matches against the git converted NDOUtils repository.
Kind regards,
Michael
--------------080804030807040607040209
Content-Type: text/x-diff;
name="0001-change-sql-string-escaping.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="0001-change-sql-string-escaping.patch"
From 5d1e6659f2992029125af6a1d2e453fc7d3f85c5 Mon Sep 17 00:00:00 2001
From: Michael Friedrich
Date: Fri, 8 Jan 2010 14:12:35 +0100
Subject: [PATCH] change sql string escaping
only ' must be escaped using '' all other characters
are handled correctly by rdbms like mysql, pgsql, oracle
---
src/db.c | 10 ++--------
1 files changed, 2 insertions(+), 8 deletions(-)
diff --git a/src/db.c b/src/db.c
index e06afc1..6455565 100644
--- a/src/db.c
+++ b/src/db.c
@@ -472,14 +472,8 @@ char *ndo2db_db_escape_string(ndo2db_idi *idi, char *buf){
/* escape characters */
for(x=0,y=0;xdbinfo.server_type==NDO2DB_DBSERVER_MYSQL){
- if(buf[x]=='\'' || buf[x]=='\"' || buf[x]=='*' || buf[x]=='\\' || buf[x]=='$' || buf[x]=='?' || buf[x]=='.' || buf[x]=='^' || buf[x]=='+' || buf[x]=='[' || buf[x]==']' || buf[x]=='(' || buf[x]==')')
- newbuf[y++]='\\';
- }
- else if(idi->dbinfo.server_type==NDO2DB_DBSERVER_PGSQL){
- if(! (isspace(buf[x]) || isalnum(buf[x]) || (buf[x]=='_')) )
- newbuf[y++]='\\';
- }
+ if(buf[x]=='\'' )
+ newbuf[y++]='\'';
newbuf[y++]=buf[x];
}
--
1.5.5.6
--------------080804030807040607040209--
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]