RE: [PATCH] mysql_real_escape_string() usage in gw/dlr_mysql.c

Mon, 26 Sep 2005 11:48:07 -0700 

Stipe, list,

IMHO consuming DBPoolConns is not a bad thing. After all, that is why the
pool even exist. So consuming and producing sql connections is not so
expensive.

In your patch: Where exactly do you escpape the parameters to the sql
string? I couldnt find that so quick.

In most of the Chimit code, we use something like this:

Octstr *sql = octstr_sql_format("SELECT * from table where pk = '%s'",
PrimaryKey);

The function octstr_sql_format is crafted so that before replacing the value
of PrimaryKey on the place that says %s in the format string, automatically
it is sql-escaped.
This way, you never have to worry about escaping stuff - everything goes
automagically. This a clean and generic solution that generates little
coding effort.

Rene Kluwen
Chimit

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of Stipe Tolj
Sent: maandag 26 september 2005 19:10
To: Kannel Development list
Subject: [PATCH] mysql_real_escape_string() usage in gw/dlr_mysql.c


Hi list,

according to bug #258 we don't use the string character escaping functions
from
mysql client library to ensure the safety of the SQL statements.

Attached is a patch for gw/dlr_mysql.c:dlr_mysql_add() which uses a static
mysql_escaipe() that does this. Please review and vote for commitment. This
should be also extended to the other SQL statements, right?

Actually this is a bit "glitchy", since we have to consume the DBPoolConn*
_before_ passing the strings to the mysql_real_escape_string() routine. It
expects a mysql connection in order to ensure that it gets the right
character
set encoding.

Anyone having a better "way" in doing this? I don't feel it's the "smoothes"
code for it, but it safes at least a sub-sequential consumption of
DBPoolConn's
while doing the string escaping.

Any improvments welcome.

Stipe

mailto:stolj_{at}_wapme-group.de
-------------------------------------------------------------------
Wapme Systems AG

Vogelsanger Weg 80
40470 Düsseldorf, NRW, Germany

phone: +49.211.74845.0
fax: +49.211.74845.299

mailto:info_{at}_wapme-systems.de
http://www.wapme-systems.de/
-------------------------------------------------------------------

Reply via email to