search

MonetDB / monetdb-php-old

Official mirror of the MonetDB PHP driver
Mozilla Public License 2.0
2 stars 2 forks source link

Problems with escaping #1

Open bolner opened 4 years ago

bolner commented 4 years ago

Hello,

there are some bugs in the mapi_quote function, which is responsible for escaping. Practically that function does nothing currently.

https://github.com/MonetDB/monetdb-php/blob/92435e835410c2ae088830c31583e4f3b5519188/lib/php_mapi.inc#L796

Nearly all single quotes need to be replaced by double quotes. Just execute this in a console to see:

$ php -a
php > echo '\"';
\"
php > echo '\n';
\n
php >

Then check the same with double quotes:

$ php -a
php > echo "\"";
"
php > echo "\n";

php >

Etc. As you can see the single quote disables most of the escaping, except some, like '\'' and '\\'. So the code compares 2-character strings to single characters.

Also, some characters are missing. For example the % wildcard character or the '\r' carriage return character.

A proper implementation would have at least 3 requirements:

But that best would be to use query parameters (or prepared statements) and pass the parameters independently, outside of the query.

kutsurak commented 4 years ago

Hello,

Thanks for the reports. For a number of reasons it will take some time to go through them. If you prepare patches we will try to review them in a timely manner.

As a side note this repository is a mirror, that is we do not use it for development. The source is maintained at https://dev.monetdb.org/hg/monetdb-php/

bolner commented 4 years ago

@kutsurak Hi, thanks for the response. I've created another client library in the meantime: https://github.com/bolner/MonetDB-PHP-Deux

best, Tamas

kutsurak commented 4 years ago

Hey @bolner,

This is great. From a (very) brief look, and from the perspective of someone who doesn't know a lot of php, this looks good! Thank you very much for your effort.

best regards, Panos.