[PATCH] dlr_mysql.c - Table name fix

Hi all,

Here is a patch that escape table names from mysql specs.
This will fix the SQL syntax error.

Simple POC (set your mysql conf as this)
group = dlr-db
id = mydlr
table = SELECT

You will get : ERROR 1064 (42000): You have an error in your SQL syntax;

Vincent

--
Telemaque - 06560 SOPHIA-ANTIPOLIS - (FR)
Service Technique/Reseau - NOC
Direction du Developpement xMS+
http://www.telemaque.fr/
v.chavanis@...
Tel : +33 4 92 90 99 84 (fax 9142)

--- dlr_mysql.c 2009-09-04 09:59:31.000000000 +0200
+++ dlr_mysql.c 2009-10-09 15:02:03.032683139 +0200
@@ -103,7 +103,7 @@
         return;
     }
 
-    sql = octstr_format("INSERT INTO %S (%S, %S, %S, %S, %S, %S, %S, %S, %S) VALUES "
+    sql = octstr_format("INSERT INTO `%S` (`%S`, `%S`, `%S`, `%S`, `%S`, `%S`, `%S`, `%S`, `%S`) VALUES "
                         "(?, ?, ?, ?, ?, ?, ?, ?, 0)",
                         fields->table, fields->field_smsc, fields->field_ts,
                         fields->field_src, fields->field_dst, fields->field_serv,
@@ -144,7 +144,7 @@
     if (pconn == NULL) /* should not happens, but sure is sure */
         return NULL;
 
-    sql = octstr_format("SELECT %S, %S, %S, %S, %S, %S FROM %S WHERE %S=? AND %S=? LIMIT 1",
+    sql = octstr_format("SELECT `%S`, `%S`, `%S`, `%S`, `%S`, `%S` FROM `%S` WHERE `%S`=? AND `%S`=? LIMIT 1",
                         fields->field_mask, fields->field_serv,
                         fields->field_url, fields->field_src,
                         fields->field_dst, fields->field_boxc,
@@ -202,7 +202,7 @@
     if (pconn == NULL)
         return;
 
-    sql = octstr_format("DELETE FROM %S WHERE %S=? AND %S=? LIMIT 1",
+    sql = octstr_format("DELETE FROM `%S` WHERE `%S`=? AND `%S`=? LIMIT 1",
                         fields->table, fields->field_smsc,
                         fields->field_ts);
 
@@ -234,7 +234,7 @@
     if (pconn == NULL)
         return;
 
-    sql = octstr_format("UPDATE %S SET %S=? WHERE %S=? AND %S=? LIMIT 1",
+    sql = octstr_format("UPDATE `%S` SET `%S`=? WHERE `%S`=? AND `%S`=? LIMIT 1",
                         fields->table, fields->field_status,
                         fields->field_smsc, fields->field_ts);
 
@@ -267,7 +267,7 @@
     if (conn == NULL)
         return -1;
 
-    sql = octstr_format("SELECT count(*) FROM %S", fields->table);
+    sql = octstr_format("SELECT count(*) FROM `%S`", fields->table);
 #if defined(DLR_TRACE)
     debug("dlr.mysql", 0, "sql: %s", octstr_get_cstr(sql));
 #endif
@@ -301,7 +301,7 @@
     if (pconn == NULL)
         return;
 
-    sql = octstr_format("DELETE FROM %S", fields->table);
+    sql = octstr_format("DELETE FROM `%S`", fields->table);
 #if defined(DLR_TRACE)
     debug("dlr.mysql", 0, "sql: %s", octstr_get_cstr(sql));
 #endif

Hi,

But this works as it is. Under what conditions do you recreate error? Lastly
what about the binds wouldn't they need escaping, too, if strings?

BR,
Nikos
----- Original Message -----
From: "Vincent CHAVANIS" <v.chavanis@...>
To: <devel@...>
Sent: Friday, October 09, 2009 4:21 PM
Subject: [PATCH] dlr_mysql.c - Table name fix

The patch looks fine at first sight (didn't tried it). What it does is  
to quote mysql parameters so you can use reserved words as table and/
or columns names.

I'm +1 on it.

Regards,

Alex
--
Alejandro Guerrieri
aguerrieri@...



On 09/10/2009, at 15:54, Nikos Balkanas wrote:

this is Mysql specs (cf http://dev.mysql.com/doc/refman/5.0/en/identifiers.html)
eg. : A reserved word that follows a period in a qualified name must be an identifier, so it need not be quoted.

Then, binds have absolutly nothing to do with this patch
I'm talking about field/table names specified on the config file.
But if binds are not escaped, then we need regular quotes is strings.

Actually if you have a table/field names called SELECT or UPDATE or LIMIT or whatever reserved by mysql
then the SQL parsing error will occur. (And you have plenty of these, please check the link below)
(http://dev.mysql.com/doc/refman/5.0/en/reserved-words.html)

Vincent.


Nikos Balkanas a écrit :
--
Telemaque - 06560 SOPHIA-ANTIPOLIS - (FR)
Service Technique/Reseau - NOC
Direction du Developpement xMS+
http://www.telemaque.fr/
v.chavanis@...
Tel : +33 4 92 90 99 84 (fax 9142)

Alright. Now I get it. This patch is needed for the case where your table or
its fields have as names one of the SQL reserved words.

+1

Nikos
----- Original Message -----
From: "Vincent CHAVANIS" <v.chavanis@...>
To: <devel@...>
Sent: Friday, October 09, 2009 5:27 PM
Subject: Re: [PATCH] dlr_mysql.c - Table name fix



this is Mysql specs (cf
http://dev.mysql.com/doc/refman/5.0/en/identifiers.html)
eg. : A reserved word that follows a period in a qualified name must be an
identifier, so it need not be quoted.

Then, binds have absolutly nothing to do with this patch
I'm talking about field/table names specified on the config file.
But if binds are not escaped, then we need regular quotes is strings.

Actually if you have a table/field names called SELECT or UPDATE or LIMIT or
whatever reserved by mysql
then the SQL parsing error will occur. (And you have plenty of these, please
check the link below)
(http://dev.mysql.com/doc/refman/5.0/en/reserved-words.html)

Vincent.


Nikos Balkanas a Γ©crit :
--
Telemaque - 06560 SOPHIA-ANTIPOLIS - (FR)
Service Technique/Reseau - NOC
Direction du Developpement xMS+
http://www.telemaque.fr/
v.chavanis@...
Tel : +33 4 92 90 99 84 (fax 9142)

Hi,

Damn! you're right ;-)

For this issue, i decided to use a macro that
replaces names during the init process

Comments ?

Vincent.


Alexander Malysh a écrit :
--- dlr_mysql.c 2009-09-04 09:59:31.000000000 +0200
+++ dlr_mysql.c 2009-10-12 12:34:47.612500682 +0200
@@ -103,7 +102,7 @@
         return;
     }
 
-    sql = octstr_format("INSERT INTO %S (%S, %S, %S, %S, %S, %S, %S, %S, %S) VALUES "
+    sql = octstr_format("INSERT INTO `%S` (`%S`, `%S`, `%S`, `%S`, `%S`, `%S`, `%S`, `%S`, `%S`) VALUES "
                         "(?, ?, ?, ?, ?, ?, ?, ?, 0)",
                         fields->table, fields->field_smsc, fields->field_ts,
                         fields->field_src, fields->field_dst, fields->field_serv,
@@ -144,7 +143,7 @@
     if (pconn == NULL) /* should not happens, but sure is sure */
         return NULL;
 
-    sql = octstr_format("SELECT %S, %S, %S, %S, %S, %S FROM %S WHERE %S=? AND %S=? LIMIT 1",
+    sql = octstr_format("SELECT `%S`, `%S`, `%S`, `%S`, `%S`, `%S` FROM `%S` WHERE `%S`=? AND `%S`=? LIMIT 1",
                         fields->field_mask, fields->field_serv,
                         fields->field_url, fields->field_src,
                         fields->field_dst, fields->field_boxc,
@@ -202,7 +201,7 @@
     if (pconn == NULL)
         return;
 
-    sql = octstr_format("DELETE FROM %S WHERE %S=? AND %S=? LIMIT 1",
+    sql = octstr_format("DELETE FROM `%S` WHERE `%S`=? AND `%S`=? LIMIT 1",
                         fields->table, fields->field_smsc,
                         fields->field_ts);
 
@@ -234,7 +233,7 @@
     if (pconn == NULL)
         return;
 
-    sql = octstr_format("UPDATE %S SET %S=? WHERE %S=? AND %S=? LIMIT 1",
+    sql = octstr_format("UPDATE `%S` SET `%S`=? WHERE `%S`=? AND `%S`=? LIMIT 1",
                         fields->table, fields->field_status,
                         fields->field_smsc, fields->field_ts);
 
@@ -267,7 +266,7 @@
     if (conn == NULL)
         return -1;
 
-    sql = octstr_format("SELECT count(*) FROM %S", fields->table);
+    sql = octstr_format("SELECT count(*) FROM `%S`", fields->table);
 #if defined(DLR_TRACE)
     debug("dlr.mysql", 0, "sql: %s", octstr_get_cstr(sql));
 #endif
@@ -301,7 +300,7 @@
     if (pconn == NULL)
         return;
 
-    sql = octstr_format("DELETE FROM %S", fields->table);
+    sql = octstr_format("DELETE FROM `%S`", fields->table);
 #if defined(DLR_TRACE)
     debug("dlr.mysql", 0, "sql: %s", octstr_get_cstr(sql));
 #endif
@@ -335,6 +334,8 @@
     long pool_size;
     DBConf *db_conf = NULL;
 
+#define QUOTES_TFNAME(a) octstr_replace(a, octstr_imm("`"), octstr_imm("``"))
+
     /*
      * check for all mandatory directives that specify the field names
      * of the used MySQL table
@@ -348,6 +349,17 @@
     fields = dlr_db_fields_create(grp);
     gw_assert(fields != NULL);
 
+    QUOTES_TFNAME(fields->table);
+    QUOTES_TFNAME(fields->field_smsc);
+    QUOTES_TFNAME(fields->field_ts);
+    QUOTES_TFNAME(fields->field_src);
+    QUOTES_TFNAME(fields->field_dst);
+    QUOTES_TFNAME(fields->field_serv);
+    QUOTES_TFNAME(fields->field_url);
+    QUOTES_TFNAME(fields->field_mask);
+    QUOTES_TFNAME(fields->field_status);
+    QUOTES_TFNAME(fields->field_boxc);
+
     /*
      * now grap the required information from the 'mysql-connection' group
      * with the mysql-id we just obtained

Hi again,

I don't see reason to use macro because macro contains only one line...
Could you please drop macro and use plain function call?

Thanks,
Alex

Am 12.10.2009 um 12:39 schrieb Vincent CHAVANIS:

done.

Vincent


Alexander Malysh a écrit :
--- dlr_mysql.c 2009-10-12 13:41:52.204661013 +0200
+++ dlr_mysql.c 2009-10-12 13:42:57.044375347 +0200
@@ -82,6 +81,8 @@
  */
 static struct dlr_db_fields *fields = NULL;
 
+static void quotes_tfname (Octstr * str);
+
 static void dlr_mysql_shutdown()
 {
     dbpool_destroy(pool);
@@ -102,7 +103,7 @@
         return;
     }
 
-    sql = octstr_format("INSERT INTO %S (%S, %S, %S, %S, %S, %S, %S, %S, %S) VALUES "
+    sql = octstr_format("INSERT INTO `%S` (`%S`, `%S`, `%S`, `%S`, `%S`, `%S`, `%S`, `%S`, `%S`) VALUES "
                         "(?, ?, ?, ?, ?, ?, ?, ?, 0)",
                         fields->table, fields->field_smsc, fields->field_ts,
                         fields->field_src, fields->field_dst, fields->field_serv,
@@ -143,7 +144,7 @@
     if (pconn == NULL) /* should not happens, but sure is sure */
         return NULL;
 
-    sql = octstr_format("SELECT %S, %S, %S, %S, %S, %S FROM %S WHERE %S=? AND %S=? LIMIT 1",
+    sql = octstr_format("SELECT `%S`, `%S`, `%S`, `%S`, `%S`, `%S` FROM `%S` WHERE `%S`=? AND `%S`=? LIMIT 1",
                         fields->field_mask, fields->field_serv,
                         fields->field_url, fields->field_src,
                         fields->field_dst, fields->field_boxc,
@@ -201,7 +202,7 @@
     if (pconn == NULL)
         return;
 
-    sql = octstr_format("DELETE FROM %S WHERE %S=? AND %S=? LIMIT 1",
+    sql = octstr_format("DELETE FROM `%S` WHERE `%S`=? AND `%S`=? LIMIT 1",
                         fields->table, fields->field_smsc,
                         fields->field_ts);
 
@@ -233,7 +234,7 @@
     if (pconn == NULL)
         return;
 
-    sql = octstr_format("UPDATE %S SET %S=? WHERE %S=? AND %S=? LIMIT 1",
+    sql = octstr_format("UPDATE `%S` SET `%S`=? WHERE `%S`=? AND `%S`=? LIMIT 1",
                         fields->table, fields->field_status,
                         fields->field_smsc, fields->field_ts);
 
@@ -266,7 +267,7 @@
     if (conn == NULL)
         return -1;
 
-    sql = octstr_format("SELECT count(*) FROM %S", fields->table);
+    sql = octstr_format("SELECT count(*) FROM `%S`", fields->table);
 #if defined(DLR_TRACE)
     debug("dlr.mysql", 0, "sql: %s", octstr_get_cstr(sql));
 #endif
@@ -300,7 +301,7 @@
     if (pconn == NULL)
         return;
 
-    sql = octstr_format("DELETE FROM %S", fields->table);
+    sql = octstr_format("DELETE FROM `%S`", fields->table);
 #if defined(DLR_TRACE)
     debug("dlr.mysql", 0, "sql: %s", octstr_get_cstr(sql));
 #endif
@@ -324,6 +325,11 @@
     .dlr_flush = dlr_mysql_flush
 };
 
+static void quotes_tfname(Octstr *str)
+{
+    return octstr_replace(str, octstr_imm("`"), octstr_imm("``"));
+}
+
 struct dlr_storage *dlr_init_mysql(Cfg *cfg)
 {
     CfgGroup *grp;
@@ -347,6 +353,17 @@
     fields = dlr_db_fields_create(grp);
     gw_assert(fields != NULL);
 
+    quotes_tfname(fields->table);
+    quotes_tfname(fields->field_smsc);
+    quotes_tfname(fields->field_ts);            
+    quotes_tfname(fields->field_src);
+    quotes_tfname(fields->field_dst);
+    quotes_tfname(fields->field_serv);
+    quotes_tfname(fields->field_url);
+    quotes_tfname(fields->field_mask);
+    quotes_tfname(fields->field_status);
+    quotes_tfname(fields->field_boxc);
+
     /*
      * now grap the required information from the 'mysql-connection' group
      * with the mysql-id we just obtained

hmm, you make it tooo complicated ;)

why not just:
octstr_replace(fields->table, octstr_imm("`"), octstr_imm("``"));
...

instead of calling function/macro with only one line?

Thanks,
Alex

Am 12.10.2009 um 13:45 schrieb Vincent CHAVANIS:

I'm sure we will find other specific cases that will be processed into this function ;)
Let it as it.

Vincent.


Alexander Malysh a écrit :
--
Telemaque - 06560 SOPHIA-ANTIPOLIS - (FR)
Service Technique/Reseau - NOC
Direction du Developpement xMS+
http://www.telemaque.fr/
v.chavanis@...
Tel : +33 4 92 90 99 84 (fax 9142)

Am 13.10.2009 um 00:09 schrieb Vincent CHAVANIS:

>
> I'm sure we will find other specific cases that will be processed  
> into this function ;)
> Let it as it.

Vincent, sorry but I don't see reason and case that we will add there.  
Please consider to kill function call
or show me another functional line in this function...

We always can easy add this function again if we find any case that we  
have to escape...

Ok, attached the new patch here.

Vincent.


Alexander Malysh a écrit : --
Telemaque - 06560 SOPHIA-ANTIPOLIS - (FR)
Service Technique/Reseau - NOC
Direction du Developpement xMS+
http://www.telemaque.fr/
v.chavanis@...
Tel : +33 4 92 90 99 84 (fax 9142)

--- dlr_mysql.c 2009-09-04 09:59:31.000000000 +0200
+++ dlr_mysql.c 2009-10-09 15:02:03.032683139 +0200
@@ -103,7 +103,7 @@
         return;
     }
 
-    sql = octstr_format("INSERT INTO %S (%S, %S, %S, %S, %S, %S, %S, %S, %S) VALUES "
+    sql = octstr_format("INSERT INTO `%S` (`%S`, `%S`, `%S`, `%S`, `%S`, `%S`, `%S`, `%S`, `%S`) VALUES "
                         "(?, ?, ?, ?, ?, ?, ?, ?, 0)",
                         fields->table, fields->field_smsc, fields->field_ts,
                         fields->field_src, fields->field_dst, fields->field_serv,
@@ -144,7 +144,7 @@
     if (pconn == NULL) /* should not happens, but sure is sure */
         return NULL;
 
-    sql = octstr_format("SELECT %S, %S, %S, %S, %S, %S FROM %S WHERE %S=? AND %S=? LIMIT 1",
+    sql = octstr_format("SELECT `%S`, `%S`, `%S`, `%S`, `%S`, `%S` FROM `%S` WHERE `%S`=? AND `%S`=? LIMIT 1",
                         fields->field_mask, fields->field_serv,
                         fields->field_url, fields->field_src,
                         fields->field_dst, fields->field_boxc,
@@ -202,7 +202,7 @@
     if (pconn == NULL)
         return;
 
-    sql = octstr_format("DELETE FROM %S WHERE %S=? AND %S=? LIMIT 1",
+    sql = octstr_format("DELETE FROM `%S` WHERE `%S`=? AND `%S`=? LIMIT 1",
                         fields->table, fields->field_smsc,
                         fields->field_ts);
 
@@ -234,7 +234,7 @@
     if (pconn == NULL)
         return;
 
-    sql = octstr_format("UPDATE %S SET %S=? WHERE %S=? AND %S=? LIMIT 1",
+    sql = octstr_format("UPDATE `%S` SET `%S`=? WHERE `%S`=? AND `%S`=? LIMIT 1",
                         fields->table, fields->field_status,
                         fields->field_smsc, fields->field_ts);
 
@@ -267,7 +267,7 @@
     if (conn == NULL)
         return -1;
 
-    sql = octstr_format("SELECT count(*) FROM %S", fields->table);
+    sql = octstr_format("SELECT count(*) FROM `%S`", fields->table);
 #if defined(DLR_TRACE)
     debug("dlr.mysql", 0, "sql: %s", octstr_get_cstr(sql));
 #endif
@@ -301,7 +301,7 @@
     if (pconn == NULL)
         return;
 
-    sql = octstr_format("DELETE FROM %S", fields->table);
+    sql = octstr_format("DELETE FROM `%S`", fields->table);
 #if defined(DLR_TRACE)
     debug("dlr.mysql", 0, "sql: %s", octstr_get_cstr(sql));
 #endif

@@ -349,6 +347,20 @@
     gw_assert(fields != NULL);
 
     /*
+     * Escaping special quotes for field/table names
+     */
+    octstr_replace(fields->table, octstr_imm("`"), octstr_imm("``"));
+    octstr_replace(fields->field_smsc, octstr_imm("`"), octstr_imm("``"));
+    octstr_replace(fields->field_ts, octstr_imm("`"), octstr_imm("``"));
+    octstr_replace(fields->field_src, octstr_imm("`"), octstr_imm("``"));
+    octstr_replace(fields->field_dst, octstr_imm("`"), octstr_imm("``"));
+    octstr_replace(fields->field_serv, octstr_imm("`"), octstr_imm("``"));
+    octstr_replace(fields->field_url, octstr_imm("`"), octstr_imm("``"));
+    octstr_replace(fields->field_mask, octstr_imm("`"), octstr_imm("``"));
+    octstr_replace(fields->field_status, octstr_imm("`"), octstr_imm("``"));
+    octstr_replace(fields->field_boxc, octstr_imm("`"), octstr_imm("``"));
+
+    /*
      * now grap the required information from the 'mysql-connection' group
      * with the mysql-id we just obtained
      *

commited to cvs, thx!

Thanks,
Alexander Malysh

Am 13.10.2009 um 11:01 schrieb Vincent CHAVANIS: