apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ronen Mizrahi <ro...@tversity.com>
Subject Re: Bug in sql escaping in apr_dbd_sqlite2 and apr_dbd_sqlite3
Date Thu, 12 Jan 2006 17:47:18 GMT
Any comments to this?

I apologize for the extra * charcaters in the code snippets from my 
first email, let me try again. The current code in apr_dbd_sqlite2.c and 
in apr_dbd_sqlite3.c for escaping strings is:

static const char *dbd_sqlite3_escape(apr_pool_t *pool, const char *arg,
                                      apr_dbd_t *sql)
{
    char *ret = sqlite3_mprintf(arg);
    apr_pool_cleanup_register(pool, ret, (void *) sqlite3_free,
                              apr_pool_cleanup_null);
    return ret;
}

The first line of the function need to be changed to:
    char *ret = sqlite3_mprintf("%q", arg);

Otherwise the use of '%' charcaters in arg will have unwanted side effects.

Ronen Mizrahi wrote:

> *The following code (used both in apr_dbd_sqlite2.c and in 
> apr_dbd_sqlite3.c) in order to escaqpe SQL strings is incorrect.
> When the % charcater appears in the arg it is misniterpreted of-course 
> and can have far reaching side effects.
> The proper solution is listed below as well.
>
> INCORRECT:
> static* *const* *char* **dbd_sqlite3_escape*(apr_pool_t *pool, *const* 
> *char* *arg,
>                                      apr_dbd_t *sql)
> {
>    *char* *ret = sqlite3_mprintf(arg);
>    apr_pool_cleanup_register(pool, ret, (*void* *) sqlite3_free,
>                              apr_pool_cleanup_null);
>    *return* ret;
> }
>
>
> *CORRECT:
> static* *const* *char* **dbd_sqlite3_escape*(apr_pool_t *pool, *const* 
> *char* *arg,
>                                      apr_dbd_t *sql)
> {
>    *char* *ret = sqlite3_mprintf("%q", arg);
>    apr_pool_cleanup_register(pool, ret, (*void* *) sqlite3_free,
>                              apr_pool_cleanup_null);
>    *return* ret;
> }
>
>


Mime
View raw message