https://bugzilla.wikimedia.org/show_bug.cgi?id=20275
--- Comment #1 from Max Semenik 2009-08-16 14:25:02
UTC ---
Created an attachment (id=6469)
--> (https://bugzilla.wikimedia.org/attachment.cgi?id=6469)
Sketch of a possible solution
Here's my idea of fixing this mess (it should also the
https://bugzilla.wikimedia.org/show_bug.cgi?id=20275
Max Semenik changed:
What|Removed |Added
Keywords||need-review, patch
--
Configure bug
https://bugzilla.wikimedia.org/show_bug.cgi?id=20275
Aryeh Gregor changed:
What|Removed |Added
CC||simetrical+wikib...@gmail.co
https://bugzilla.wikimedia.org/show_bug.cgi?id=20275
--- Comment #3 from Max Semenik 2009-08-24 18:15:03
UTC ---
(In reply to comment #2)
> Where does the ESCAPE have to go? Right after the LIKE or at the end of the
> query? I'd expect this function to be usable even with additional condi
https://bugzilla.wikimedia.org/show_bug.cgi?id=20275
--- Comment #4 from Aryeh Gregor 2009-08-24
19:55:54 UTC ---
(In reply to comment #3)
> The $dbr->like( 'bar%' ) variant is clearer, but it requires you to take care
> of its parameter manually, i.e. to escape 'bar' but not '%', if you re
https://bugzilla.wikimedia.org/show_bug.cgi?id=20275
Max Semenik changed:
What|Removed |Added
Attachment #6469 is|0 |1
obsolete|
https://bugzilla.wikimedia.org/show_bug.cgi?id=20275
--- Comment #6 from Max Semenik 2009-08-25 18:46:10
UTC ---
Created an attachment (id=6493)
--> (https://bugzilla.wikimedia.org/attachment.cgi?id=6493)
Tests (require the previous patch)
Posting these tests separately, as I haven't figu
https://bugzilla.wikimedia.org/show_bug.cgi?id=20275
--- Comment #7 from Aryeh Gregor 2009-08-26
01:36:41 UTC ---
Okay, it seems like escapeLike() does strencode() as well. So you've got
like() doing no escaping at all. I think this is potentially quite surprising;
I'd prefer to see it do
https://bugzilla.wikimedia.org/show_bug.cgi?id=20275
--- Comment #8 from Max Semenik 2009-08-26 18:11:29
UTC ---
(In reply to comment #7)
Thanks, Aryeh. I'll make another patch in a couple of days.
> Okay, it seems like escapeLike() does strencode() as well. So you've got
> like() doing
https://bugzilla.wikimedia.org/show_bug.cgi?id=20275
--- Comment #9 from Aryeh Gregor 2009-08-26
21:40:13 UTC ---
(In reply to comment #8)
> That would create a situation where a misleaded developer uses the new
> function
> in an unsafe context and gets an SQL injection. Giving it a scary
https://bugzilla.wikimedia.org/show_bug.cgi?id=20275
Alex Z. changed:
What|Removed |Added
CC||mrzmanw...@gmail.com
--- Comment #10 fro
https://bugzilla.wikimedia.org/show_bug.cgi?id=20275
--- Comment #11 from Aryeh Gregor 2009-08-26
23:28:20 UTC ---
(In reply to comment #10)
> Some random thoughts...
>
> My initial thought on reading this was that LIKE escaping should really be an
> internal function called by the wrapper
https://bugzilla.wikimedia.org/show_bug.cgi?id=20275
Niklas Laxström changed:
What|Removed |Added
CC||niklas.laxst...@gmail.com
--- Co
https://bugzilla.wikimedia.org/show_bug.cgi?id=20275
--- Comment #13 from Max Semenik 2009-08-28 19:31:33
UTC ---
(In reply to comment #12)
> (In reply to comment #9)
> > (In reply to comment #8)
> > > appears to be a mysqlism, in SQLite it looks two times more sane:D
> >
> > Then SQL
https://bugzilla.wikimedia.org/show_bug.cgi?id=20275
--- Comment #14 from Aryeh Gregor 2009-08-28
21:36:38 UTC ---
A simple test:
mysql> SELECT '\\' LIKE '\\' AS a, '\\' LIKE '' AS b;
+---+---+
| a | b |
+---+---+
| 1 | 1 |
+---+---+
1 row in set (0.03 sec)
sqlite> SELECT '\\' LIKE '
https://bugzilla.wikimedia.org/show_bug.cgi?id=20275
--- Comment #15 from Max Semenik 2009-08-29 21:38:30
UTC ---
Created an attachment (id=6502)
--> (https://bugzilla.wikimedia.org/attachment.cgi?id=6502)
Sample patch using idea by Mr.Z-man
I like Alex's idea, here is an example of its i
https://bugzilla.wikimedia.org/show_bug.cgi?id=20275
--- Comment #16 from Aryeh Gregor 2009-08-30
01:08:20 UTC ---
(In reply to comment #14)
> A simple test:
>
> mysql> SELECT '\\' LIKE '\\' AS a, '\\' LIKE '' AS b;
> +---+---+
> | a | b |
> +---+---+
> | 1 | 1 |
> +---+---+
> 1 row i
https://bugzilla.wikimedia.org/show_bug.cgi?id=20275
--- Comment #17 from Niklas Laxström 2009-08-31
07:02:52 UTC ---
I also said: Exception: At the end of the pattern string, backslash can be
specified as “\\”.
Compare with:
mysql> SELECT '\\a' LIKE '\\a' AS a, '\\a' LIKE 'a' AS b;
+-
https://bugzilla.wikimedia.org/show_bug.cgi?id=20275
--- Comment #18 from Aryeh Gregor 2009-08-31
13:36:13 UTC ---
(In reply to comment #17)
> I also said: Exception: At the end of the pattern string, backslash can be
> specified as “\\”.
>
> Compare with:
> mysql> SELECT '\\a' LIKE '\\a'
https://bugzilla.wikimedia.org/show_bug.cgi?id=20275
Max Semenik changed:
What|Removed |Added
Attachment #6492 is|0 |1
obsolete|
https://bugzilla.wikimedia.org/show_bug.cgi?id=20275
Max Semenik changed:
What|Removed |Added
Attachment #6511 is|0 |1
obsolete|
https://bugzilla.wikimedia.org/show_bug.cgi?id=20275
Max Semenik changed:
What|Removed |Added
Status|NEW |RESOLVED
Keywords|need-review
22 matches
Mail list logo
