mway08 / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

MySQL CODEC : "_" character not handled properly ? #21

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
The "_" and" %" characters are escaped but
http://mirror.yandex.ru/mirrors/ftp.mysql.com/doc/refman/5.0/en/string-syntax.ht
ml
specifies that these characters have specific behaviours :"If you use “\%”
or “\_” outside of pattern-matching contexts, they evaluate to the strings
“\%” and “\_”, not to “%” and “_”. " 

Example : if we have a table FOO with a row with field VALUE_FOO='TEST_1', 
the SQL command to retrieve this row : SELECT * FROM FOO WHERE
VALUE_FOO=encodeForSQL('TEST_1') will become : SELECT * FROM <table> WHERE
<field>='TEST\_1' which will not return the row. 

Original issue reported on code.google.com by Mikael.M...@gmail.com on 24 Jul 2009 at 9:41

GoogleCodeExporter commented 9 years ago
The MySQL codec should ONLY escape single quotes, I agree.

Original comment by manico.james@gmail.com on 28 Oct 2009 at 7:44

GoogleCodeExporter commented 9 years ago
would this not be the same as the current ANSI encoding in the MySQLEncoder. It 
is
currently only escaping the ' character. If that is what we want to do I will 
resolve
this and commit the fix. 

Original comment by chrisisbeef on 29 Oct 2009 at 5:23

GoogleCodeExporter commented 9 years ago

Original comment by chrisisbeef on 2 Dec 2009 at 7:54

GoogleCodeExporter commented 9 years ago
This was fixed a while ago - only ' should be encoded (to '')

Mikael Mechoulam, can you confirm this is fixed in the latest ESAPI release?

Original comment by manico.james@gmail.com on 5 Dec 2009 at 12:33

GoogleCodeExporter commented 9 years ago

Original comment by manico.james@gmail.com on 5 Dec 2009 at 2:11

GoogleCodeExporter commented 9 years ago

Original comment by manico.james@gmail.com on 5 Dec 2009 at 2:12

GoogleCodeExporter commented 9 years ago

Original comment by manico.james@gmail.com on 5 Dec 2009 at 2:12

GoogleCodeExporter commented 9 years ago
No, this was fixed just now in 1.4, still needs fixing in 2.1, discussing with 
group
first.

Original comment by manico.james@gmail.com on 5 Dec 2009 at 2:22

GoogleCodeExporter commented 9 years ago
PS: Chris, yes, you are right - this is just switching the default "mode" 
variable to 1

Original comment by manico.james@gmail.com on 5 Dec 2009 at 2:23

GoogleCodeExporter commented 9 years ago
Reassigned to Jim since he is working on Encoders at this time.

Original comment by chrisisbeef on 5 Dec 2009 at 6:05

GoogleCodeExporter commented 9 years ago

Original comment by manico.james@gmail.com on 29 May 2012 at 3:23

GoogleCodeExporter commented 9 years ago

Original comment by chrisisbeef on 18 Sep 2014 at 4:28