manifoldcf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Karl Wright <daddy...@gmail.com>
Subject Re: Release?
Date Tue, 07 Dec 2010 03:22:22 GMT
Changes complete.
This was helpful in that it found a bug in the sql generated for
PostgreSQL for two of the history reports.  Aside from that, I still
believe this is more of a precaution than a necessity.

Karl


On Mon, Dec 6, 2010 at 8:35 PM, Karl Wright <daddywri@gmail.com> wrote:
> Here is a list of the pertinent places where quoteSQLString is used.
> Note that EXCEPT in a couple of cases where quoteSQLString was needed
> to furnish an argument for a clause being formed by a database
> abstraction method, ALL other cases are quoting of constant values,
> save in one case, which I am happy to change.
>
>>>>>>>
> ./framework/pull-agent/src/main/java/org/apache/manifoldcf/crawler/jobs/Jobs.java
>        getTableName()+" WHERE
> "+statusField+"!="+quoteSQLString(statusToString(STATUS_READYFORDELETE))+
>        " AND "+statusField+"!="+quoteSQLString(statusToString(STATUS_READYFORDELETE_NOOUTPUT))+
>      quoteSQLString(statusToString(STATUS_ACTIVE))+","+
>      quoteSQLString(statusToString(STATUS_ACTIVESEEDING))+")",null,null,null);
>      quoteSQLString(statusToString(STATUS_ACTIVE))+","+
>      quoteSQLString(statusToString(STATUS_ACTIVESEEDING))+")",null,null,null);
>      quoteSQLString(statusToString(STATUS_ACTIVE))+","+
>      quoteSQLString(statusToString(STATUS_ACTIVESEEDING))+")
> "+constructOffsetLimitClause(0,1),null,null,null,1);
>      statusField+" IN
> ("+quoteSQLString(statusToString(STATUS_READYFORDELETE))+","+
>      quoteSQLString(statusToString(STATUS_SHUTTINGDOWN))+")
> "+constructOffsetLimitClause(0,1),
>      quoteSQLString(statusToString(STATUS_ACTIVE)) + "," +
>      quoteSQLString(statusToString(STATUS_ACTIVESEEDING)) +
> ./framework/pull-agent/src/main/java/org/apache/manifoldcf/crawler/jobs/JobManager.java
>          database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_COMPLETE))+","+
>          database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PURGATORY))+","+
>          database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY))+
>          " AND
> t1."+jobs.statusField+"="+database.quoteSQLString(jobs.statusToString(jobs.STATUS_READYFORDELETE))+
>          ")) OR
> (t0."+jobQueue.statusField+"="+database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PURGATORY))+
>          " AND
> t3."+jobs.statusField+"="+database.quoteSQLString(jobs.statusToString(jobs.STATUS_SHUTTINGDOWN))+
>          database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVE))+","+
>          database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVEPURGATORY))+","+
>          database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCAN))+","+
>          database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCANPURGATORY))+","+
>          database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_BEINGDELETED))+
>      .append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PURGATORY))).append(",")
>      .append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY))).append(",")
>      .append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_COMPLETE))).append(")
> AND EXISTS(SELECT 'x' FROM ").append(jobs.getTableName()).append(" t1
> WHERE t0.")
>      .append(database.quoteSQLString(jobQueue.statusToString(JobQueue.STATUS_COMPLETE))).append(",")
>      .append(database.quoteSQLString(jobQueue.statusToString(JobQueue.STATUS_PURGATORY))).append(")")
>      .append(database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ACTIVE))).append(",")
>      .append(database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_PAUSED))).append(",")
>      .append(database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ACTIVEWAIT))).append(",")
>      .append(database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_PAUSEDWAIT))).append(",")
>      .append(database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ACTIVE))).append(",")
>      .append(database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_READYFORSTARTUP))).append(",")
>      .append(database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_STARTINGUP))).append(",")
>      .append(database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ABORTINGSTARTINGUPFORRESTART))).append(",")
>      .append(database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ABORTINGSTARTINGUP))).append(",")
>      .append(database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ACTIVESEEDING))).append(",")
>      .append(database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_PAUSEDSEEDING))).append(",")
>      .append(database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ACTIVEWAITSEEDING))).append(",")
>      .append(database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_PAUSEDWAITSEEDING))).append(",")
>      .append(database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ABORTING))).append(",")
>      .append(database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ABORTINGFORRESTART))).append(",")
>      .append(database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ABORTINGFORRESTARTSEEDING))).append("))
> AND ")
>      .append(database.quoteSQLString(JobQueue.statusToString(jobQueue.STATUS_PENDING))).append(",")
>      .append(database.quoteSQLString(JobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY))).append(")
> AND (")
>      .append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(JobQueue.ACTION_RESCAN)))
>      .append(database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVE))).append(",")
>      .append(database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVESEEDING))).append(")
> AND ");
>      .append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVE))).append(",")
>      .append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVEPURGATORY))).append(",")
>      .append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCAN))).append(",")
>      .append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCANPURGATORY))).append(",")
>      .append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_BEINGDELETED)))
>      .append(database.quoteSQLString(Jobs.statusToString(jobs.STATUS_ACTIVE))).append(",")
>      .append(database.quoteSQLString(Jobs.statusToString(jobs.STATUS_ACTIVESEEDING)))
>      .append(database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVE))).append(",")
>      .append(database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVESEEDING))).append(")
> AND t1.")
>      .append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVE))).append(",")
>      .append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVEPURGATORY))).append(",")
>      .append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCAN))).append(",")
>      .append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCANPURGATORY))).append(",")
>      .append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_BEINGDELETED)))
>        database.quoteSQLString(jobs.statusToString(jobs.STATUS_INACTIVE))+","+
>        database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVEWAIT))+","+
>        database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVEWAITSEEDING))+","+
>        database.quoteSQLString(jobs.statusToString(jobs.STATUS_PAUSEDWAIT))+","+
>        database.quoteSQLString(jobs.statusToString(jobs.STATUS_PAUSEDWAITSEEDING))+")
> AND "+
>        jobs.startMethodField+"!="+database.quoteSQLString(jobs.startMethodToString(IJobDescription.START_DISABLE))+
>        database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVE))+","+
>        database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVESEEDING))+","+
>        database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVE_UNINSTALLED))+","+
>        database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVESEEDING_UNINSTALLED))+","+
>        database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVE_NOOUTPUT))+","+
>        database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVESEEDING_NOOUTPUT))+","+
>        database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVE_NEITHER))+","+
>        database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVESEEDING_NEITHER))+","+
>        database.quoteSQLString(jobs.statusToString(jobs.STATUS_PAUSED))+","+
>        database.quoteSQLString(jobs.statusToString(jobs.STATUS_PAUSEDSEEDING))+")
> AND "+
>          "t99."+jobQueue.statusField+"="+database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)),
>          database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVE))+"
> AND "+
>          jobs.typeField+"="+database.quoteSQLString(jobs.typeToString(jobs.TYPE_CONTINUOUS))+"
> AND ("+
>          database.quoteSQLString(jobs.statusToString(jobs.STATUS_READYFORSTARTUP))+"
> FOR UPDATE",null,null,null);
>          database.quoteSQLString(jobs.statusToString(jobs.STATUS_READYFORDELETE))+","+
>          database.quoteSQLString(jobs.statusToString(jobs.STATUS_READYFORDELETE_NOOUTPUT))+")
> FOR UPDATE",null,null,null);
>          database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVE))+","+
>          database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVEWAIT))+","+
>          database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVE_UNINSTALLED))+","+
>          database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVE_NOOUTPUT))+","+
>          database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVE_NEITHER))+")
> FOR UPDATE",null,null,null);
>      database.quoteSQLString(jobs.statusToString(jobs.STATUS_NOTIFYINGOFCOMPLETION)),null,null,null);
>          database.quoteSQLString(jobs.statusToString(jobs.STATUS_ABORTING))+","+
>          database.quoteSQLString(jobs.statusToString(jobs.STATUS_ABORTINGFORRESTART))+")
> FOR UPDATE",null,null,null);
>          database.quoteSQLString(jobs.statusToString(jobs.STATUS_SHUTTINGDOWN))+"
> FOR UPDATE",null,null,null);
>      database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ACTIVE))+","+
>      database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ACTIVESEEDING))+","+
>      database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ACTIVE_UNINSTALLED))+","+
>      database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ACTIVESEEDING_UNINSTALLED))+","+
>      database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ACTIVE_NOOUTPUT))+","+
>      database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ACTIVESEEDING_NOOUTPUT))+","+
>      database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ACTIVE_NEITHER))+","+
>      database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ACTIVESEEDING_NEITHER))+","+
>      database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_PAUSED))+","+
>      database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_PAUSEDSEEDING))+","+
>      database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ACTIVEWAIT))+","+
>      database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ACTIVEWAITSEEDING))+","+
>      database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_PAUSEDWAIT))+","+
>      database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_PAUSEDWAITSEEDING))+")";
>      Jobs.statusField+"="+database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_INACTIVE))+"
> AND "+
>      database.quoteSQLString(JobQueue.statusToString(JobQueue.STATUS_ACTIVE))+","+
>      database.quoteSQLString(JobQueue.statusToString(JobQueue.STATUS_ACTIVENEEDRESCAN))+","+
>      database.quoteSQLString(JobQueue.statusToString(JobQueue.STATUS_PENDING))+","+
>      database.quoteSQLString(JobQueue.statusToString(JobQueue.STATUS_ACTIVEPURGATORY))+","+
>      database.quoteSQLString(JobQueue.statusToString(JobQueue.STATUS_ACTIVENEEDRESCANPURGATORY))+","+
>      database.quoteSQLString(JobQueue.statusToString(JobQueue.STATUS_PENDINGPURGATORY))+")"+
>      database.quoteSQLString(JobQueue.statusToString(JobQueue.STATUS_COMPLETE))+","+
>      database.quoteSQLString(JobQueue.statusToString(JobQueue.STATUS_PURGATORY))+","+
>      database.quoteSQLString(JobQueue.statusToString(JobQueue.STATUS_ACTIVEPURGATORY))+","+
>      database.quoteSQLString(JobQueue.statusToString(JobQueue.STATUS_ACTIVENEEDRESCANPURGATORY))+","+
>      database.quoteSQLString(JobQueue.statusToString(JobQueue.STATUS_PENDINGPURGATORY))+")"+
>      .append(" WHEN
> ").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING))).append("
> THEN 'Not yet processed'")
>      .append(" WHEN
> ").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVE))).append("
> THEN 'Not yet processed'")
>      .append(" WHEN
> ").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCAN))).append("
> THEN 'Not yet processed'")
>      .append(" WHEN
> ").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY))).append("
> THEN 'Processed'")
>      .append(" WHEN
> ").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVEPURGATORY))).append("
> THEN 'Processed'")
>      .append(" WHEN
> ").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCANPURGATORY))).append("
> THEN 'Processed'")
>      .append(" WHEN
> ").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_COMPLETE))).append("
> THEN 'Processed'")
>      .append(" WHEN
> ").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PURGATORY))).append("
> THEN 'Processed'")
>      .append(" WHEN
> ").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_BEINGDELETED))).append("
> THEN 'Being removed'")
>      .append("(").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_COMPLETE)))
>      .append(" OR
> ").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PURGATORY)))
>      .append(" AND (t0.").append(jobQueue.checkActionField).append("
> IS NULL OR t0.").append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_RESCAN))).append(")")
>      .append(" AND
> (").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)))
>      .append(" OR
> ").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY)))
>      .append(" AND
> t0.").append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_REMOVE)))
>      .append(" AND
> (").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)))
>      .append(" OR
> ").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY)))
>      .append(" AND (t0.").append(jobQueue.checkActionField).append("
> IS NULL OR t0.").append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_RESCAN))).append(")")
>      .append(" AND
> (").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)))
>      .append(" OR
> ").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY)))
>      .append(" AND
> t0.").append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_REMOVE)))
>      .append(" AND
> (").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)))
>      .append(" OR
> ").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY)))
>      .append(" AND
> (").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)))
>      .append(" OR
> ").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY)))
>      .append(" WHEN
> ").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_BEINGDELETED)))
>      .append("(t0.").append(jobQueue.checkActionField).append(" IS
> NULL OR t0.").append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_RESCAN))).append(")")
>      .append(" AND
> (").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVE)))
>      .append(" OR
> ").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCAN)))
>      .append(" OR
> ").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVEPURGATORY)))
>      .append(" OR
> ").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCANPURGATORY)))
>      .append("t0.").append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_REMOVE)))
>      .append(" AND
> (").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVE)))
>      .append(" OR
> ").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCAN)))
>      .append(" OR
> ").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVEPURGATORY)))
>      .append(" OR
> ").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCANPURGATORY)))
>      .append(" WHEN
> ").append("(t0.").append(jobQueue.checkActionField).append(" IS NULL
> OR t0.").append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_RESCAN))).append(")
> THEN 'Process'")
>      .append(" WHEN
> ").append("t0.").append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_REMOVE))).append("
> THEN 'Expire'")
>      .append("(").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_COMPLETE)))
>      .append(" OR
> ").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PURGATORY)))
>      .append("(").append(jobQueue.checkActionField).append(" IS NULL
> OR ").append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_RESCAN))).append(")")
>      .append(" AND
> (").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVE)))
>      .append(" OR
> ").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCAN)))
>      .append(" OR
> ").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVEPURGATORY)))
>      .append(" OR
> ").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCANPURGATORY)))
>      .append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_REMOVE)))
>      .append(" AND
> (").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVE)))
>      .append(" OR
> ").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCAN)))
>      .append(" OR
> ").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVEPURGATORY)))
>      .append(" OR
> ").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCANPURGATORY)))
>      .append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_BEINGDELETED)))
>      .append(" AND (").append(jobQueue.checkActionField).append(" IS
> NULL OR ").append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_RESCAN))).append(")")
>      .append(" AND
> (").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)))
>      .append(" OR
> ").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY)))
>      .append(" AND
> ").append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_REMOVE)))
>      .append(" AND
> (").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)))
>      .append(" OR
> ").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY)))
>      .append(" AND (").append(jobQueue.checkActionField).append(" IS
> NULL OR ").append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_RESCAN))).append(")")
>      .append(" AND
> (").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)))
>      .append(" OR
> ").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY)))
>      .append(" AND
> ").append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_REMOVE)))
>      .append(" AND
> (").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)))
>      .append(" OR
> ").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY)))
>      .append(" AND
> (").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)))
>      .append(" OR
> ").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY)))
>    sb.append(database.constructSubstringClause(columnPrefix+columnName,database.quoteSQLString(bucketDesc.getRegexp()),!isSensitive));
>      sb.append(database.constructRegexpClause(fieldPrefix+jobQueue.docIDField,database.quoteSQLString(identifierRegexp.getRegexpString()),identifierRegexp.isInsensitive()));
>          .append("(").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)))
>          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVE)))
>          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCAN)))
>          .append("(").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY)))
>          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVEPURGATORY)))
>          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCANPURGATORY)))
>          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_BEINGDELETED)))
>          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_COMPLETE)))
>          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PURGATORY)))
>          .append("(").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_COMPLETE)))
>          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PURGATORY)))
>          .append("(").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVE)))
>          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCAN)))
>          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVEPURGATORY)))
>          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCANPURGATORY)))
>          .append(" AND
> (").append(fieldPrefix).append(jobQueue.checkActionField).append(" IS
> NULL OR ").append(fieldPrefix).append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_RESCAN))).append(")");
>          .append("(").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVE)))
>          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCAN)))
>          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVEPURGATORY)))
>          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCANPURGATORY)))
>          .append(" AND
> ").append(fieldPrefix).append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_REMOVE)));
>        sb.append(fieldPrefix).append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_BEINGDELETED)));
>          .append("(").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)))
>          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY)))
>          .append(" AND
> (").append(fieldPrefix).append(jobQueue.checkActionField).append(" IS
> NULL OR ").append(fieldPrefix).append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_RESCAN))).append(")")
>          .append("(").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)))
>          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY)))
>          .append(" AND
> ").append(fieldPrefix).append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_REMOVE)))
>          .append("(").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)))
>          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY)))
>          .append(" AND
> (").append(fieldPrefix).append(jobQueue.checkActionField).append(" IS
> NULL OR ").append(fieldPrefix).append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_RESCAN))).append(")")
>          .append("(").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)))
>          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY)))
>          .append(" AND
> ").append(fieldPrefix).append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_REMOVE)))
>          .append("(").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)))
>          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY)))
> ./framework/pull-agent/src/main/java/org/apache/manifoldcf/crawler/jobs/HopCount.java
>      commonNewExpression =
> intrinsicLinkManager.newField+"="+quoteSQLString(intrinsicLinkManager.statusToString(intrinsicLinkManager.LINKSTATUS_BASE));
> ./framework/pull-agent/src/main/java/org/apache/manifoldcf/crawler/jobs/JobQueue.java
>      quoteSQLString(statusToString(STATUS_PENDING)),list);
>      quoteSQLString(statusToString(STATUS_PENDING)),list,null);
>      quoteSQLString(statusToString(STATUS_PENDINGPURGATORY))+","+
>      quoteSQLString(statusToString(STATUS_COMPLETE))+")",list,null);
>      quoteSQLString(statusToString(STATUS_COMPLETE)),list,null);
>      quoteSQLString(statusToString(STATUS_ACTIVE))+","+
>      quoteSQLString(statusToString(STATUS_ACTIVEPURGATORY))+","+
>      quoteSQLString(statusToString(STATUS_ACTIVENEEDRESCAN))+","+
>      quoteSQLString(statusToString(STATUS_ACTIVENEEDRESCANPURGATORY))+")
> "+constructOffsetLimitClause(0,1),list,null,null,1);
> ./framework/pull-agent/src/main/java/org/apache/manifoldcf/crawler/repository/RepositoryHistoryManager.java
>    sb.append(constructSubstringClause(columnPrefix+columnName,quoteSQLString(bucketDesc.getRegexp()),!isSensitive));
>    sb.append(fieldPrefix).append(ownerNameField).append("=").append(quoteSQLString(connectionName));
>          sb.append(quoteSQLString(activity));
>      sb.append(constructRegexpClause(fieldPrefix+entityIdentifierField,quoteSQLString(entityMatch.getRegexpString()),entityMatch.isInsensitive()));
>      sb.append(constructRegexpClause(fieldPrefix+resultCodeField,quoteSQLString(resultCodeMatch.getRegexpString()),resultCodeMatch.isInsensitive()));
> <<<<<<
>
> The abstractions that require a quote string argument as input are:
> - constructSubstringClause
> - constructRegexpClause
>
> These can, of course, be redefined to work by using parameterized
> queries, but doing so limits their flexibility as abstractions
> considerably, so I'd rather not do that unless it was actually shown
> that quoteSQLString is not or could not be made safe.
>
> The case I will change involves the last file:
> RepositoryHistoryManager, which as you see quotes a connection name
> and an activity name.
>
> Karl
>
>
> On Mon, Dec 6, 2010 at 7:45 PM, Karl Wright <daddywri@gmail.com> wrote:
>> quoteSQLString is used mainly for data content that is not directly
>> sourced from input, such as state values, etc.  So your concern is
>> unlikely to be actually true.  But even so, if you are saying that all
>> of these should be converted to prepared values, fine - but this would
>> be a large job and is likely to be error prone.  Would it not be
>> better to address any concerns you might have about quoteSQLString
>> instead?
>>
>> Since quoteSQLString uses ' as it's quotation mark, and properly
>> escapes ' characters within the string, I claim that the method is
>> properly written and cannot be used for a sql attack.  If you
>> disagree, provide me a string that "breaks" the escaping that it does.
>>  The definition of such breakage is a string that, when escaped with
>> quoteSQLString, causes the query to interpret ANY of the string's
>> contents as something other than the string.
>>
>> The link you provided lists many kinds of exploit, most of them
>> fundamentally issues with (a) non-escaping of strings, and (b) taking
>> advantage of flaws in (say) PHP or ASP.  ALL of them are thwarted by
>> proper escaping of character content.
>>
>> Karl
>>
>> On Mon, Dec 6, 2010 at 7:30 PM, Robert Muir <rcmuir@gmail.com> wrote:
>>> On Mon, Dec 6, 2010 at 7:18 PM, Karl Wright <daddywri@gmail.com> wrote:
>>>
>>>> As for the sql injection question, please elaborate.  There is no UI
>>>> ability to do sql injection that I am aware of, because all the
>>>> strings you might enter are properly escaped before being incorporated
>>>> into queries.  This includes queries that come via the API and
>>>> Authority Service.  So I guess I need an example of how you might
>>>> cause a sql injection given the current code.
>>>>
>>>
>>> Escaping tends to only thwart casual attackers, not motivated ones or
>>> even automated tools.
>>>
>>> For example the escaping i see used here: e.g. quoteSQLString seems to
>>> only quote single-quote characters.
>>>
>>> There are a number of techniques to workaround this type of escaping,
>>> some are listed here:
>>> http://www.slideshare.net/inquis/sql-injection-not-only-and-11
>>>
>>> In my opinion all variables should be explicitly bound via PreparedStatements.
>>>
>>
>

Mime
View raw message