List:Internals« Previous MessageNext Message »
From:Chad MILLER Date:October 30 2007 5:03pm
Subject:Re: [PATCH] for Bug #31113
View as plain text  
On 30 Oct 2007, at 04:07, Marko Mäkelä wrote:

> On Tue, Oct 30, 2007 at 04:01:04PM +0800, mysql yxx wrote:
>> --- mysqldump.c.orig    2007-10-29 17:40:50.000000000 +0800
>> +++ mysqldump.c 2007-10-30 15:42:00.000000000 +0800
>> @@ -1033,7 +1033,7 @@
>>    MYSQL_RES *db_cl_res;
>>    MYSQL_ROW db_cl_row;
>>
>> -  my_snprintf(query, sizeof (query), "use %s", db_name);
>> +  my_snprintf(query, sizeof (query), "use `%s`", db_name);
>>
>>    if (mysql_query_with_error_report(mysql, NULL, query))
>>      return 1;
>
> Shouldn't the db_name be escaped, in case it contains special  
> characters
> like ` or \ ?  Perhaps my_snprintf() should define a modifier of %s  
> that
> quotes identifiers when needed.

Hi Marko,

Absolutely agreed.  I'm wary of creating yet more conversion flags or  
specifiers, but as long as we are using printf-style formatting  
("%.*b" was my latest) all through the server, it is easiest to  
modify it than replace them.

Perhaps use the conversion flag '#', which is normally unused for  
's'.  Maybe it's not overkill and not too ugly to make it generic for  
any quotation character (rather than unique to backtick), since those  
are totally unused in format specifiers.  So, double-quote, single- 
quote, backtick, all could be a parameter that is required between   
#  and  s .

As an example (format and C-style value, then literal string):
   ("%#`s", "foo")     ->  `foo`
   ("%#\"s", "foo")    ->  "\"foo\""
   ("%#`s", "f`oo\\")  ->  `f\`oo\\`
   ("%#'s", "'")       ->  '\''
   ("%#s", "a`c'c\\d") ->  a`b'c\\d
   ("%#'`s", "foo")    ->  `foo`

So of each character,  % start formatting, # peek ahead and see if  
it's a "s", _ capture the quoting character, s  discard.  If the  
quoting character is missing, then do not add quotes and still escape  
backslashes.  If there are more than one character between  #  and   
s , then use the last.

Anyone see problems with this?  Ideas?  Complaints?

Implementations?  :)

- chad

--
Chad Miller, Software Developer                         chad@stripped
MySQL Inc., www.mysql.com
Orlando, Florida, USA                                13-20z,  UTC-0400
Office: +1 408 213 6740                         sip:6740@stripped



Attachment: [application/pgp-signature] This is a digitally signed message part PGP.sig
Thread
[PATCH] for Bug #31113mysql yxx30 Oct
  • Re: [PATCH] for Bug #31113Marko Mäkelä30 Oct
    • Re: [PATCH] for Bug #31113Chad MILLER30 Oct