manifoldcf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Karl Wright <daddy...@gmail.com>
Subject Re: Release?
Date Tue, 07 Dec 2010 01:35:10 GMT
Here is a list of the pertinent places where quoteSQLString is used.
Note that EXCEPT in a couple of cases where quoteSQLString was needed
to furnish an argument for a clause being formed by a database
abstraction method, ALL other cases are quoting of constant values,
save in one case, which I am happy to change.

>>>>>>
./framework/pull-agent/src/main/java/org/apache/manifoldcf/crawler/jobs/Jobs.java
        getTableName()+" WHERE
"+statusField+"!="+quoteSQLString(statusToString(STATUS_READYFORDELETE))+
        " AND "+statusField+"!="+quoteSQLString(statusToString(STATUS_READYFORDELETE_NOOUTPUT))+
      quoteSQLString(statusToString(STATUS_ACTIVE))+","+
      quoteSQLString(statusToString(STATUS_ACTIVESEEDING))+")",null,null,null);
      quoteSQLString(statusToString(STATUS_ACTIVE))+","+
      quoteSQLString(statusToString(STATUS_ACTIVESEEDING))+")",null,null,null);
      quoteSQLString(statusToString(STATUS_ACTIVE))+","+
      quoteSQLString(statusToString(STATUS_ACTIVESEEDING))+")
"+constructOffsetLimitClause(0,1),null,null,null,1);
      statusField+" IN
("+quoteSQLString(statusToString(STATUS_READYFORDELETE))+","+
      quoteSQLString(statusToString(STATUS_SHUTTINGDOWN))+")
"+constructOffsetLimitClause(0,1),
      quoteSQLString(statusToString(STATUS_ACTIVE)) + "," +
      quoteSQLString(statusToString(STATUS_ACTIVESEEDING)) +
./framework/pull-agent/src/main/java/org/apache/manifoldcf/crawler/jobs/JobManager.java
          database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_COMPLETE))+","+
          database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PURGATORY))+","+
          database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY))+
          " AND
t1."+jobs.statusField+"="+database.quoteSQLString(jobs.statusToString(jobs.STATUS_READYFORDELETE))+
          ")) OR
(t0."+jobQueue.statusField+"="+database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PURGATORY))+
          " AND
t3."+jobs.statusField+"="+database.quoteSQLString(jobs.statusToString(jobs.STATUS_SHUTTINGDOWN))+
          database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVE))+","+
          database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVEPURGATORY))+","+
          database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCAN))+","+
          database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCANPURGATORY))+","+
          database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_BEINGDELETED))+
      .append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PURGATORY))).append(",")
      .append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY))).append(",")
      .append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_COMPLETE))).append(")
AND EXISTS(SELECT 'x' FROM ").append(jobs.getTableName()).append(" t1
WHERE t0.")
      .append(database.quoteSQLString(jobQueue.statusToString(JobQueue.STATUS_COMPLETE))).append(",")
      .append(database.quoteSQLString(jobQueue.statusToString(JobQueue.STATUS_PURGATORY))).append(")")
      .append(database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ACTIVE))).append(",")
      .append(database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_PAUSED))).append(",")
      .append(database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ACTIVEWAIT))).append(",")
      .append(database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_PAUSEDWAIT))).append(",")
      .append(database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ACTIVE))).append(",")
      .append(database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_READYFORSTARTUP))).append(",")
      .append(database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_STARTINGUP))).append(",")
      .append(database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ABORTINGSTARTINGUPFORRESTART))).append(",")
      .append(database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ABORTINGSTARTINGUP))).append(",")
      .append(database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ACTIVESEEDING))).append(",")
      .append(database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_PAUSEDSEEDING))).append(",")
      .append(database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ACTIVEWAITSEEDING))).append(",")
      .append(database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_PAUSEDWAITSEEDING))).append(",")
      .append(database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ABORTING))).append(",")
      .append(database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ABORTINGFORRESTART))).append(",")
      .append(database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ABORTINGFORRESTARTSEEDING))).append("))
AND ")
      .append(database.quoteSQLString(JobQueue.statusToString(jobQueue.STATUS_PENDING))).append(",")
      .append(database.quoteSQLString(JobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY))).append(")
AND (")
      .append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(JobQueue.ACTION_RESCAN)))
      .append(database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVE))).append(",")
      .append(database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVESEEDING))).append(")
AND ");
      .append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVE))).append(",")
      .append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVEPURGATORY))).append(",")
      .append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCAN))).append(",")
      .append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCANPURGATORY))).append(",")
      .append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_BEINGDELETED)))
      .append(database.quoteSQLString(Jobs.statusToString(jobs.STATUS_ACTIVE))).append(",")
      .append(database.quoteSQLString(Jobs.statusToString(jobs.STATUS_ACTIVESEEDING)))
      .append(database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVE))).append(",")
      .append(database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVESEEDING))).append(")
AND t1.")
      .append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVE))).append(",")
      .append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVEPURGATORY))).append(",")
      .append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCAN))).append(",")
      .append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCANPURGATORY))).append(",")
      .append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_BEINGDELETED)))
        database.quoteSQLString(jobs.statusToString(jobs.STATUS_INACTIVE))+","+
        database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVEWAIT))+","+
        database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVEWAITSEEDING))+","+
        database.quoteSQLString(jobs.statusToString(jobs.STATUS_PAUSEDWAIT))+","+
        database.quoteSQLString(jobs.statusToString(jobs.STATUS_PAUSEDWAITSEEDING))+")
AND "+
        jobs.startMethodField+"!="+database.quoteSQLString(jobs.startMethodToString(IJobDescription.START_DISABLE))+
        database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVE))+","+
        database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVESEEDING))+","+
        database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVE_UNINSTALLED))+","+
        database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVESEEDING_UNINSTALLED))+","+
        database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVE_NOOUTPUT))+","+
        database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVESEEDING_NOOUTPUT))+","+
        database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVE_NEITHER))+","+
        database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVESEEDING_NEITHER))+","+
        database.quoteSQLString(jobs.statusToString(jobs.STATUS_PAUSED))+","+
        database.quoteSQLString(jobs.statusToString(jobs.STATUS_PAUSEDSEEDING))+")
AND "+
          "t99."+jobQueue.statusField+"="+database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)),
          database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVE))+"
AND "+
          jobs.typeField+"="+database.quoteSQLString(jobs.typeToString(jobs.TYPE_CONTINUOUS))+"
AND ("+
          database.quoteSQLString(jobs.statusToString(jobs.STATUS_READYFORSTARTUP))+"
FOR UPDATE",null,null,null);
          database.quoteSQLString(jobs.statusToString(jobs.STATUS_READYFORDELETE))+","+
          database.quoteSQLString(jobs.statusToString(jobs.STATUS_READYFORDELETE_NOOUTPUT))+")
FOR UPDATE",null,null,null);
          database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVE))+","+
          database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVEWAIT))+","+
          database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVE_UNINSTALLED))+","+
          database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVE_NOOUTPUT))+","+
          database.quoteSQLString(jobs.statusToString(jobs.STATUS_ACTIVE_NEITHER))+")
FOR UPDATE",null,null,null);
      database.quoteSQLString(jobs.statusToString(jobs.STATUS_NOTIFYINGOFCOMPLETION)),null,null,null);
          database.quoteSQLString(jobs.statusToString(jobs.STATUS_ABORTING))+","+
          database.quoteSQLString(jobs.statusToString(jobs.STATUS_ABORTINGFORRESTART))+")
FOR UPDATE",null,null,null);
          database.quoteSQLString(jobs.statusToString(jobs.STATUS_SHUTTINGDOWN))+"
FOR UPDATE",null,null,null);
      database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ACTIVE))+","+
      database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ACTIVESEEDING))+","+
      database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ACTIVE_UNINSTALLED))+","+
      database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ACTIVESEEDING_UNINSTALLED))+","+
      database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ACTIVE_NOOUTPUT))+","+
      database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ACTIVESEEDING_NOOUTPUT))+","+
      database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ACTIVE_NEITHER))+","+
      database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ACTIVESEEDING_NEITHER))+","+
      database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_PAUSED))+","+
      database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_PAUSEDSEEDING))+","+
      database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ACTIVEWAIT))+","+
      database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_ACTIVEWAITSEEDING))+","+
      database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_PAUSEDWAIT))+","+
      database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_PAUSEDWAITSEEDING))+")";
      Jobs.statusField+"="+database.quoteSQLString(Jobs.statusToString(Jobs.STATUS_INACTIVE))+"
AND "+
      database.quoteSQLString(JobQueue.statusToString(JobQueue.STATUS_ACTIVE))+","+
      database.quoteSQLString(JobQueue.statusToString(JobQueue.STATUS_ACTIVENEEDRESCAN))+","+
      database.quoteSQLString(JobQueue.statusToString(JobQueue.STATUS_PENDING))+","+
      database.quoteSQLString(JobQueue.statusToString(JobQueue.STATUS_ACTIVEPURGATORY))+","+
      database.quoteSQLString(JobQueue.statusToString(JobQueue.STATUS_ACTIVENEEDRESCANPURGATORY))+","+
      database.quoteSQLString(JobQueue.statusToString(JobQueue.STATUS_PENDINGPURGATORY))+")"+
      database.quoteSQLString(JobQueue.statusToString(JobQueue.STATUS_COMPLETE))+","+
      database.quoteSQLString(JobQueue.statusToString(JobQueue.STATUS_PURGATORY))+","+
      database.quoteSQLString(JobQueue.statusToString(JobQueue.STATUS_ACTIVEPURGATORY))+","+
      database.quoteSQLString(JobQueue.statusToString(JobQueue.STATUS_ACTIVENEEDRESCANPURGATORY))+","+
      database.quoteSQLString(JobQueue.statusToString(JobQueue.STATUS_PENDINGPURGATORY))+")"+
      .append(" WHEN
").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING))).append("
THEN 'Not yet processed'")
      .append(" WHEN
").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVE))).append("
THEN 'Not yet processed'")
      .append(" WHEN
").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCAN))).append("
THEN 'Not yet processed'")
      .append(" WHEN
").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY))).append("
THEN 'Processed'")
      .append(" WHEN
").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVEPURGATORY))).append("
THEN 'Processed'")
      .append(" WHEN
").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCANPURGATORY))).append("
THEN 'Processed'")
      .append(" WHEN
").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_COMPLETE))).append("
THEN 'Processed'")
      .append(" WHEN
").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PURGATORY))).append("
THEN 'Processed'")
      .append(" WHEN
").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_BEINGDELETED))).append("
THEN 'Being removed'")
      .append("(").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_COMPLETE)))
      .append(" OR
").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PURGATORY)))
      .append(" AND (t0.").append(jobQueue.checkActionField).append("
IS NULL OR t0.").append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_RESCAN))).append(")")
      .append(" AND
(").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)))
      .append(" OR
").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY)))
      .append(" AND
t0.").append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_REMOVE)))
      .append(" AND
(").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)))
      .append(" OR
").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY)))
      .append(" AND (t0.").append(jobQueue.checkActionField).append("
IS NULL OR t0.").append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_RESCAN))).append(")")
      .append(" AND
(").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)))
      .append(" OR
").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY)))
      .append(" AND
t0.").append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_REMOVE)))
      .append(" AND
(").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)))
      .append(" OR
").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY)))
      .append(" AND
(").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)))
      .append(" OR
").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY)))
      .append(" WHEN
").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_BEINGDELETED)))
      .append("(t0.").append(jobQueue.checkActionField).append(" IS
NULL OR t0.").append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_RESCAN))).append(")")
      .append(" AND
(").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVE)))
      .append(" OR
").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCAN)))
      .append(" OR
").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVEPURGATORY)))
      .append(" OR
").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCANPURGATORY)))
      .append("t0.").append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_REMOVE)))
      .append(" AND
(").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVE)))
      .append(" OR
").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCAN)))
      .append(" OR
").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVEPURGATORY)))
      .append(" OR
").append("t0.").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCANPURGATORY)))
      .append(" WHEN
").append("(t0.").append(jobQueue.checkActionField).append(" IS NULL
OR t0.").append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_RESCAN))).append(")
THEN 'Process'")
      .append(" WHEN
").append("t0.").append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_REMOVE))).append("
THEN 'Expire'")
      .append("(").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_COMPLETE)))
      .append(" OR
").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PURGATORY)))
      .append("(").append(jobQueue.checkActionField).append(" IS NULL
OR ").append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_RESCAN))).append(")")
      .append(" AND
(").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVE)))
      .append(" OR
").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCAN)))
      .append(" OR
").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVEPURGATORY)))
      .append(" OR
").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCANPURGATORY)))
      .append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_REMOVE)))
      .append(" AND
(").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVE)))
      .append(" OR
").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCAN)))
      .append(" OR
").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVEPURGATORY)))
      .append(" OR
").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCANPURGATORY)))
      .append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_BEINGDELETED)))
      .append(" AND (").append(jobQueue.checkActionField).append(" IS
NULL OR ").append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_RESCAN))).append(")")
      .append(" AND
(").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)))
      .append(" OR
").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY)))
      .append(" AND
").append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_REMOVE)))
      .append(" AND
(").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)))
      .append(" OR
").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY)))
      .append(" AND (").append(jobQueue.checkActionField).append(" IS
NULL OR ").append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_RESCAN))).append(")")
      .append(" AND
(").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)))
      .append(" OR
").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY)))
      .append(" AND
").append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_REMOVE)))
      .append(" AND
(").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)))
      .append(" OR
").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY)))
      .append(" AND
(").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)))
      .append(" OR
").append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY)))
    sb.append(database.constructSubstringClause(columnPrefix+columnName,database.quoteSQLString(bucketDesc.getRegexp()),!isSensitive));
      sb.append(database.constructRegexpClause(fieldPrefix+jobQueue.docIDField,database.quoteSQLString(identifierRegexp.getRegexpString()),identifierRegexp.isInsensitive()));
          .append("(").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)))
          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVE)))
          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCAN)))
          .append("(").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY)))
          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVEPURGATORY)))
          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCANPURGATORY)))
          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_BEINGDELETED)))
          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_COMPLETE)))
          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PURGATORY)))
          .append("(").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_COMPLETE)))
          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PURGATORY)))
          .append("(").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVE)))
          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCAN)))
          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVEPURGATORY)))
          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCANPURGATORY)))
          .append(" AND
(").append(fieldPrefix).append(jobQueue.checkActionField).append(" IS
NULL OR ").append(fieldPrefix).append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_RESCAN))).append(")");
          .append("(").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVE)))
          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCAN)))
          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVEPURGATORY)))
          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_ACTIVENEEDRESCANPURGATORY)))
          .append(" AND
").append(fieldPrefix).append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_REMOVE)));
        sb.append(fieldPrefix).append(jobQueue.statusField).append("=").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_BEINGDELETED)));
          .append("(").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)))
          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY)))
          .append(" AND
(").append(fieldPrefix).append(jobQueue.checkActionField).append(" IS
NULL OR ").append(fieldPrefix).append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_RESCAN))).append(")")
          .append("(").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)))
          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY)))
          .append(" AND
").append(fieldPrefix).append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_REMOVE)))
          .append("(").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)))
          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY)))
          .append(" AND
(").append(fieldPrefix).append(jobQueue.checkActionField).append(" IS
NULL OR ").append(fieldPrefix).append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_RESCAN))).append(")")
          .append("(").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)))
          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY)))
          .append(" AND
").append(fieldPrefix).append(jobQueue.checkActionField).append("=").append(database.quoteSQLString(jobQueue.actionToString(jobQueue.ACTION_REMOVE)))
          .append("(").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDING)))
          .append(",").append(database.quoteSQLString(jobQueue.statusToString(jobQueue.STATUS_PENDINGPURGATORY)))
./framework/pull-agent/src/main/java/org/apache/manifoldcf/crawler/jobs/HopCount.java
      commonNewExpression =
intrinsicLinkManager.newField+"="+quoteSQLString(intrinsicLinkManager.statusToString(intrinsicLinkManager.LINKSTATUS_BASE));
./framework/pull-agent/src/main/java/org/apache/manifoldcf/crawler/jobs/JobQueue.java
      quoteSQLString(statusToString(STATUS_PENDING)),list);
      quoteSQLString(statusToString(STATUS_PENDING)),list,null);
      quoteSQLString(statusToString(STATUS_PENDINGPURGATORY))+","+
      quoteSQLString(statusToString(STATUS_COMPLETE))+")",list,null);
      quoteSQLString(statusToString(STATUS_COMPLETE)),list,null);
      quoteSQLString(statusToString(STATUS_ACTIVE))+","+
      quoteSQLString(statusToString(STATUS_ACTIVEPURGATORY))+","+
      quoteSQLString(statusToString(STATUS_ACTIVENEEDRESCAN))+","+
      quoteSQLString(statusToString(STATUS_ACTIVENEEDRESCANPURGATORY))+")
"+constructOffsetLimitClause(0,1),list,null,null,1);
./framework/pull-agent/src/main/java/org/apache/manifoldcf/crawler/repository/RepositoryHistoryManager.java
    sb.append(constructSubstringClause(columnPrefix+columnName,quoteSQLString(bucketDesc.getRegexp()),!isSensitive));
    sb.append(fieldPrefix).append(ownerNameField).append("=").append(quoteSQLString(connectionName));
          sb.append(quoteSQLString(activity));
      sb.append(constructRegexpClause(fieldPrefix+entityIdentifierField,quoteSQLString(entityMatch.getRegexpString()),entityMatch.isInsensitive()));
      sb.append(constructRegexpClause(fieldPrefix+resultCodeField,quoteSQLString(resultCodeMatch.getRegexpString()),resultCodeMatch.isInsensitive()));
<<<<<<

The abstractions that require a quote string argument as input are:
- constructSubstringClause
- constructRegexpClause

These can, of course, be redefined to work by using parameterized
queries, but doing so limits their flexibility as abstractions
considerably, so I'd rather not do that unless it was actually shown
that quoteSQLString is not or could not be made safe.

The case I will change involves the last file:
RepositoryHistoryManager, which as you see quotes a connection name
and an activity name.

Karl


On Mon, Dec 6, 2010 at 7:45 PM, Karl Wright <daddywri@gmail.com> wrote:
> quoteSQLString is used mainly for data content that is not directly
> sourced from input, such as state values, etc.  So your concern is
> unlikely to be actually true.  But even so, if you are saying that all
> of these should be converted to prepared values, fine - but this would
> be a large job and is likely to be error prone.  Would it not be
> better to address any concerns you might have about quoteSQLString
> instead?
>
> Since quoteSQLString uses ' as it's quotation mark, and properly
> escapes ' characters within the string, I claim that the method is
> properly written and cannot be used for a sql attack.  If you
> disagree, provide me a string that "breaks" the escaping that it does.
>  The definition of such breakage is a string that, when escaped with
> quoteSQLString, causes the query to interpret ANY of the string's
> contents as something other than the string.
>
> The link you provided lists many kinds of exploit, most of them
> fundamentally issues with (a) non-escaping of strings, and (b) taking
> advantage of flaws in (say) PHP or ASP.  ALL of them are thwarted by
> proper escaping of character content.
>
> Karl
>
> On Mon, Dec 6, 2010 at 7:30 PM, Robert Muir <rcmuir@gmail.com> wrote:
>> On Mon, Dec 6, 2010 at 7:18 PM, Karl Wright <daddywri@gmail.com> wrote:
>>
>>> As for the sql injection question, please elaborate.  There is no UI
>>> ability to do sql injection that I am aware of, because all the
>>> strings you might enter are properly escaped before being incorporated
>>> into queries.  This includes queries that come via the API and
>>> Authority Service.  So I guess I need an example of how you might
>>> cause a sql injection given the current code.
>>>
>>
>> Escaping tends to only thwart casual attackers, not motivated ones or
>> even automated tools.
>>
>> For example the escaping i see used here: e.g. quoteSQLString seems to
>> only quote single-quote characters.
>>
>> There are a number of techniques to workaround this type of escaping,
>> some are listed here:
>> http://www.slideshare.net/inquis/sql-injection-not-only-and-11
>>
>> In my opinion all variables should be explicitly bound via PreparedStatements.
>>
>

Mime
View raw message