From dev-return-15271-apmail-apr-dev-archive=apr.apache.org@apr.apache.org Thu Jan 12 17:48:42 2006 Return-Path: Delivered-To: apmail-apr-dev-archive@www.apache.org Received: (qmail 49413 invoked from network); 12 Jan 2006 17:48:37 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 12 Jan 2006 17:48:37 -0000 Received: (qmail 88923 invoked by uid 500); 12 Jan 2006 17:48:16 -0000 Delivered-To: apmail-apr-dev-archive@apr.apache.org Received: (qmail 88888 invoked by uid 500); 12 Jan 2006 17:48:16 -0000 Mailing-List: contact dev-help@apr.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Id: Delivered-To: mailing list dev@apr.apache.org Received: (qmail 88877 invoked by uid 99); 12 Jan 2006 17:48:16 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 12 Jan 2006 09:48:16 -0800 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (asf.osuosl.org: local policy) Received: from [167.206.4.205] (HELO mta10.srv.hcvlny.cv.net) (167.206.4.205) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 12 Jan 2006 09:48:15 -0800 Received: from [192.168.1.105] (ool-43516080.dyn.optonline.net [67.81.96.128]) by mta10.srv.hcvlny.cv.net (Sun Java System Messaging Server 6.2-4.03 (built Sep 22 2005)) with ESMTP id <0ISZ00IHJQQXKN00@mta10.srv.hcvlny.cv.net> for dev@apr.apache.org; Thu, 12 Jan 2006 12:47:21 -0500 (EST) Date: Thu, 12 Jan 2006 12:47:18 -0500 From: Ronen Mizrahi Subject: Re: Bug in sql escaping in apr_dbd_sqlite2 and apr_dbd_sqlite3 In-reply-to: <43B4EE31.6080000@tversity.com> To: dev@apr.apache.org Reply-to: ronen@tversity.com Message-id: <43C69626.9060900@tversity.com> Organization: TVersity MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1; format=flowed Content-transfer-encoding: 7BIT X-Accept-Language: en-us, en References: <600853F5-7936-4BE8-B755-29A85FA12C7E@orionsmg.com> <43B4EE31.6080000@tversity.com> User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Any comments to this? I apologize for the extra * charcaters in the code snippets from my first email, let me try again. The current code in apr_dbd_sqlite2.c and in apr_dbd_sqlite3.c for escaping strings is: static const char *dbd_sqlite3_escape(apr_pool_t *pool, const char *arg, apr_dbd_t *sql) { char *ret = sqlite3_mprintf(arg); apr_pool_cleanup_register(pool, ret, (void *) sqlite3_free, apr_pool_cleanup_null); return ret; } The first line of the function need to be changed to: char *ret = sqlite3_mprintf("%q", arg); Otherwise the use of '%' charcaters in arg will have unwanted side effects. Ronen Mizrahi wrote: > *The following code (used both in apr_dbd_sqlite2.c and in > apr_dbd_sqlite3.c) in order to escaqpe SQL strings is incorrect. > When the % charcater appears in the arg it is misniterpreted of-course > and can have far reaching side effects. > The proper solution is listed below as well. > > INCORRECT: > static* *const* *char* **dbd_sqlite3_escape*(apr_pool_t *pool, *const* > *char* *arg, > apr_dbd_t *sql) > { > *char* *ret = sqlite3_mprintf(arg); > apr_pool_cleanup_register(pool, ret, (*void* *) sqlite3_free, > apr_pool_cleanup_null); > *return* ret; > } > > > *CORRECT: > static* *const* *char* **dbd_sqlite3_escape*(apr_pool_t *pool, *const* > *char* *arg, > apr_dbd_t *sql) > { > *char* *ret = sqlite3_mprintf("%q", arg); > apr_pool_cleanup_register(pool, ret, (*void* *) sqlite3_free, > apr_pool_cleanup_null); > *return* ret; > } > >