not all fields escaped in php editor lib

not all fields escaped in php editor lib

MaikelMaikel Posts: 56Questions: 14Answers: 1

most fields are nicely escaped:

`regressiondb_store2db`.`IPSec_DataRate`.`Private_IP_Version` as regressiondb_store2db.IPSec_DataRate.Private_IP_Version'

but some fields are not escaped at all, the fieldnames, dbnames and tabel names are not escaped in case there is a () in the fieldname.

regressiondb_store2db.IPSec_DataRate.Tunnel_Count(each-direction) as 'regressiondb_store2db.IPSec_DataRate.Tunnel_Count(each-direction)', 

below is the full result (debug) output

{"fieldErrors":[],"error":"SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '(Gbps) as 'regressiondb_store2db.IPSec_DataRate.Throughput(Gbps)', `regressiondb' at line 1","data":[],"ipOpts":[],"cancelled":[],"debug":[{"query":"SELECT COUNT( `regressiondb_store2db`.`IPSec_DataRate`.`_rdb_id` ) as `cnt` FROM `regressiondb_store2db`.`IPSec_DataRate` LEFT JOIN `run` ON `run`.`id` = `regressiondb_store2db`.`IPSec_DataRate`.`_rdb_run_id` LEFT JOIN `regressRun` ON `regressRun`.`id` = `run`.`regressRun_id` LEFT JOIN `testbed` ON `regressRun`.`testbed_id` = `testbed`.`id` ","bindings":[]},{"query":"SELECT COUNT( `regressiondb_store2db`.`IPSec_DataRate`.`_rdb_id` ) as `cnt` FROM `regressiondb_store2db`.`IPSec_DataRate` ","bindings":[]},{"query":"SELECT `regressiondb_store2db`.`IPSec_DataRate`.`_rdb_id` as 'regressiondb_store2db.IPSec_DataRate._rdb_id', `regressiondb_store2db`.`IPSec_DataRate`.`_rdb_branch` as 'regressiondb_store2db.IPSec_DataRate._rdb_branch', `regressiondb_store2db`.`IPSec_DataRate`.`_rdb_test` as 'regressiondb_store2db.IPSec_DataRate._rdb_test', `regressiondb_store2db`.`IPSec_DataRate`.`_rdb_date` as 'regressiondb_store2db.IPSec_DataRate._rdb_date', `regressiondb_store2db`.`IPSec_DataRate`.`Frame_Size` as 'regressiondb_store2db.IPSec_DataRate.Frame_Size', `regressiondb_store2db`.`IPSec_DataRate`.`Auth` as 'regressiondb_store2db.IPSec_DataRate.Auth', `regressiondb_store2db`.`IPSec_DataRate`.`Encr` as 'regressiondb_store2db.IPSec_DataRate.Encr', regressiondb_store2db.IPSec_DataRate.Throughput(Gbps) as 'regressiondb_store2db.IPSec_DataRate.Throughput(Gbps)', `regressiondb_store2db`.`IPSec_DataRate`.`Tolerance` as 'regressiondb_store2db.IPSec_DataRate.Tolerance', `regressiondb_store2db`.`IPSec_DataRate`.`Phys_Topo` as 'regressiondb_store2db.IPSec_DataRate.Phys_Topo', `regressiondb_store2db`.`IPSec_DataRate`.`Sub_Topo` as 'regressiondb_store2db.IPSec_DataRate.Sub_Topo', `regressiondb_store2db`.`IPSec_DataRate`.`Init_VFP_Count` as 'regressiondb_store2db.IPSec_DataRate.Init_VFP_Count', `regressiondb_store2db`.`IPSec_DataRate`.`Resp_VFP_Count` as 'regressiondb_store2db.IPSec_DataRate.Resp_VFP_Count', `regressiondb_store2db`.`IPSec_DataRate`.`Init_QAT_VF_Count` as 'regressiondb_store2db.IPSec_DataRate.Init_QAT_VF_Count', `regressiondb_store2db`.`IPSec_DataRate`.`Resp_QAT_VF_Count` as 'regressiondb_store2db.IPSec_DataRate.Resp_QAT_VF_Count', `regressiondb_store2db`.`IPSec_DataRate`.`Public_IP_Version` as 'regressiondb_store2db.IPSec_DataRate.Public_IP_Version', `regressiondb_store2db`.`IPSec_DataRate`.`Private_IP_Version` as 'regressiondb_store2db.IPSec_DataRate.Private_IP_Version', regressiondb_store2db.IPSec_DataRate.Tunnel_Count(each-direction) as 'regressiondb_store2db.IPSec_DataRate.Tunnel_Count(each-direction)', `regressiondb_store2db`.`IPSec_DataRate`.`Flexi_Params` as 'regressiondb_store2db.IPSec_DataRate.Flexi_Params', `regressiondb_store2db`.`IPSec_DataRate`.`Testbed` as 'regressiondb_store2db.IPSec_DataRate.Testbed', `regressiondb_store2db`.`IPSec_DataRate`.`Build` as 'regressiondb_store2db.IPSec_DataRate.Build', `regressRun`.`link` as 'regressRun.link', `testbed`.`ipAddr` as 'testbed.ipAddr', `testbed`.`name` as 'testbed.name' FROM `regressiondb_store2db`.`IPSec_DataRate` LEFT JOIN `run` ON `run`.`id` = `regressiondb_store2db`.`IPSec_DataRate`.`_rdb_run_id` LEFT JOIN `regressRun` ON `regressRun`.`id` = `run`.`regressRun_id` LEFT JOIN `testbed` ON `regressRun`.`testbed_id` = `testbed`.`id` LIMIT 50","bindings":[]}]}

Answers

  • allanallan Posts: 49,501Questions: 1Answers: 7,286 Site admin

    This is correct - if there are parenthesis in the text, the libraries intentionally do not escape the field. Instead they assume that you plan to execute a function.

    I'm afraid the libraries do not currently support a parenthesis in the column names of the database tables.

    Allan

  • MaikelMaikel Posts: 56Questions: 14Answers: 1

    is there a way we can disable the auto-escaping and do the escaping on our own?

    that would be a solution for my problems

  • allanallan Posts: 49,501Questions: 1Answers: 7,286 Site admin

    No - sorry. The link I gave above is where you would need to modify the code if you wanted to do so, but there isn't an external API to do it. You'd need to modify the code directly.

    Allan

Sign In or Register to comment.