List:General Discussion« Previous MessageNext Message »
From:Paul DuBois Date:July 6 1999 4:16am
Subject:Re: 19.4.12 mysql_escape_string()
View as plain text  
At 1:37 AM +0000 7/6/1999, El Jeffo wrote:
>Hey, did I miss something in my intro to C class?  anyways, here
>are a few comment I'm going to make, please correct me if I'm
>wrong. This is from:
>
>http://www.mysql.net/Manual_chapter/manual_Clients.html#mysql_escape_string
>
>19.4.12.2 Example
>
>char query[1000],*end;
>
>end = strmov(query,"INSERT INTO test_table values(");
>****okay cause it's the mysqlclient strmov()
>
>*end++ = '\";
>end += mysql_escape_string(query,"What's this",11);
>****does mysql_escape_string append??

No, this is a mistake, it should say "end" instead of "query".

>*end++ = '\";
>**** where's the close "'" for these lines?

This is an artifact of the Texinfo->HTML converter.  The original
text says '\'', not '\".

>
>*end++ = ',';
>*end++ = '\";
>end += mysql_escape_string(query,"binary data: \0\r\n",16);

This should say "end" not "query", too.

>*end++ = '\";
>*end++ = ')';
>
>if (mysql_real_query(&mysql,query,(unsigned int) (end - query)))
>{
>   fprintf(stderr, "Failed to insert row, Error: %s\n",
>           mysql_error(&mysql));
>}
>
>*** On another note:
>
>Although the string written into to is null-terminated, you should not
>assume that it can be used with functions such as strlen() or strcpy().
>If the from string contains
>null bytes, mysql_escape_string() will escape them with a leading `\'
>character in the to string, but they will still appear to those
>functions as terminating nulls.
>
>*** "they will still appear to those functions" Is very ambiguous.
>	Perhaps "The from string will still appear to strlen() and strcpy()
>	as having terminating nulls before the end of the string.  Therefore
>	you shouldn't use strlen() to determine the length argument)

It's not ambiguous, because the comment refers to the to string, not the
from string.

>Such internal null bytes will also be seen as terminating nulls by
>mysql_query() and it will not handle the query properly. Therefore, when
>you
>
>*** Why is this?  If we pass:
>  mysql_query(&mysql, "insert in.... values("\0the\0Null"))
>  where the query char* is "char *to", the query function shouldn't
>   terminate the query prematurely.... or will it?  The documentation
>   clearly states that the NUL is escaped, therefore, it is only
>   necessary to use mysql_real_query when you neglect to use
>   mysql_escape_string() and the query string only contains nulls
>   and not `\n', `\r', `\' or `''

The documentation is in error here (my fault).  I was operating under
the assumption that mysql_escape_string() turned NUL bytes into
\ + NULL (i.e., that it simply put a backslash in front of the NUL
byte.  If it did that, mysql_query() would in fact see the NUL as the
end of the string.  But mysql_escape_string() actually turns NUL into
\ + '0', that is, \ + ASCII 48.  So mysql_query() is safe for strings
that you construct using mysql_escape_string().

This will be corrected soon.  Thanks for pointing it out.

--
Paul DuBois, paul@stripped
Northern League Chronicles: http://www.snake.net/nl/
Thread
19.4.12 mysql_escape_string()El Jeffo6 Jul
  • Re: 19.4.12 mysql_escape_string()Paul DuBois6 Jul