MensBeam/Arsse
3
1
Fork 0
Code Issues 24 Pull requests Releases 31 Activity

Bad interactions with PostgreSQL query munging and embedded values #175

New issue
Closed
opened 2019-09-11 10:05:39 -04:00 by jking · 0 comments
jking commented 2019-09-11 10:05:39 -04:00
Owner
Copy link

Natively PostgreSQL uses e.g. $1 as a parameter marker instead of ?. PDO handles this conversion, but for the native driver we've had to change the markers ourselves.

When this was originally implemented it was assumed all values would be placed in parameters and thus any ? characters would be parameter markers and a simple string replacement could be used. Since then, strings are sometimes embedded to ease pressure on the limited number of parameter markers themselves; strings literals containing ? might therefore now appear in queries, breaking things spectacularly.

Indeed, this part of query construction is poorly tested, so more tests are required. The simplest solution is probably to never embed any string which contains a question mark.

Natively PostgreSQL uses e.g. `$1` as a parameter marker instead of `?`. PDO handles this conversion, but for the native driver we've had to change the markers ourselves. When this was originally implemented it was assumed all values would be placed in parameters and thus any `?` characters would be parameter markers and a simple string replacement could be used. Since then, strings are sometimes embedded to ease pressure on the limited number of parameter markers themselves; strings literals containing `?` might therefore now appear in queries, breaking things spectacularly. Indeed, this part of query construction is poorly tested, so more tests are required. The simplest solution is probably to never embed any string which contains a question mark.
jking added this to the Future milestone 2019-09-11 10:05:39 -04:00
jking self-assigned this 2019-09-11 10:05:39 -04:00
jking 2019-09-11 10:05:39 -04:00
  • closed this issue
  • added the
    bug
         label
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
reader
rpm
docker
microsub
0.12.0
0.11.0
0.10.6
0.10.5
0.10.4
0.10.3
0.10.2
0.10.1
0.10.0
0.9.2
0.9.1
0.9.0
0.8.5
0.8.4
0.8.3
0.8.2
0.8.1
0.8.0
0.7.1
0.7.0
0.6.1
0.6.0
0.5.1
0.5.0
0.4.0
0.3.1
0.3.0
0.2.1
0.2.0
0.1.1
0.1.0
Labels
Clear labels   
admin tools

   
api

   
bug

   
documentation

   
duplicate

   
enhancement

   
feature

   
help wanted

   
in progress

   
internals

   
invalid

   
packaging

   
question

   
testing

   
trivial

   
wontfix
No labels
admin tools
api
bug
documentation
duplicate
enhancement
feature
help wanted
in progress
internals
invalid
packaging
question
testing
trivial
wontfix
Milestone
Clear milestone
No items
No milestone
Future
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
jking
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: MensBeam/Arsse#175
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?