16 Feb
2011
16 Feb
'11
5:08 p.m.
On 02/16/2011 03:43 PM, Thomas Mortagne wrote:
I mean Microsoft's SQL Server, their complete lack of imagination makes
it hard to distinguish their product.
I understood that but you I don't see any support for MS SQL Server in
DatabaseProduct and i don't see why I would add it now just for that.
Well, there are several users that run XWiki on top of MSSQL, and even
though it's not highly maintained by the developers, we should at least
try not to break things on purpose.
On Wed, Feb 16, 2011 at 12:43, Sergiu
Dumitriu<sergiu(a)xwiki.com> wrote:
Yes, that is correct, but \ is an escape character.
So, normally doubling ` will have the desired effect:
create database that`s life; -> invalid, error.
create database `that``s life`; -> valid, OK.
create database `that\``s life`; -> invalid, since \` actually escapes
the first backquote, breaking the special meaning of ``. That's not a
double backquote which translates into a single literal backquote, but a
literal backquote followed by an unmatched, unescape backquote which
closes the starting backquote early.
This holds true for " as well, and this is why escapetool.sql is not
enough to prevent SQL injections and parameterized queries should be
used everywhere.
On 02/16/2011 11:50 AM, Thomas Mortagne wrote:
That's weird since
http://dev.mysql.com/doc/refman/5.0/en/identifiers.html says
"Identifier quote characters can be included within an identifier if
you quote the identifier. If the character to be included within the
identifier is the same as that used to quote the identifier itself,
then you need to double the character." On Wed, Feb 16, 2011 at 11:36, Sergiu
Dumitriu<sergiu(a)xwiki.com> wrote:
OK, you can double the openQuote() character. For SQLServer dialect you
have to do it differently, though:
replace("[", "[[]")
Although, simple doubling isn't enough, for example trying to create
this database will drop the xyz database:
x\`; drop database xyz; \`
turns into:
create database `x\``; drop database xxx; \```;
which fails to create the first database (invalid name), drops the
second database, and fails to execute the ` command. I tested it on the
mysql console, not through Hibernate. On 02/16/2011 10:09 AM, tmortagne (SVN) wrote:
> Author: tmortagne
> Date: 2011-02-16 10:09:31 +0100 (Wed, 16 Feb 2011)
> New Revision: 34718
>
> Modified:
>
platform/core/branches/xwiki-core-2.7/xwiki-core/src/main/java/com/xpn/xwiki/store/XWikiHibernateBaseStore.java
>
platform/core/branches/xwiki-core-2.7/xwiki-core/src/main/java/com/xpn/xwiki/store/XWikiHibernateStore.java
> Log:
> XWIKI-5976: Cannot create subwiki named "lines"
> Better (but a lot less elegant...) fix
>
> Modified:
platform/core/branches/xwiki-core-2.7/xwiki-core/src/main/java/com/xpn/xwiki/store/XWikiHibernateBaseStore.java
> ===================================================================
> ---
platform/core/branches/xwiki-core-2.7/xwiki-core/src/main/java/com/xpn/xwiki/store/XWikiHibernateBaseStore.java
2011-02-16 09:09:21 UTC (rev 34717)
> +++
platform/core/branches/xwiki-core-2.7/xwiki-core/src/main/java/com/xpn/xwiki/store/XWikiHibernateBaseStore.java
2011-02-16 09:09:31 UTC (rev 34718)
> @@ -504,7 +504,6 @@
> }
> } catch (Exception e) {
> }
> - ;
> try {
> if (bTransaction) {
> endTransaction(context, true);
> @@ -600,13 +599,14 @@
>
> if (context.getDatabase() != null) {
> String schemaName = getSchemaFromWikiName(context);
> + String escapedSchemaName = escapeSchema(schemaName, context);
>
> DatabaseProduct databaseProduct =
getDatabaseProductName(context);
> if (DatabaseProduct.ORACLE == databaseProduct) {
> Statement stmt = null;
> try {
> stmt = session.connection().createStatement();
> - stmt.execute("alter session set current_schema =
" + schemaName);
> + stmt.execute("alter session set current_schema =
" + escapedSchemaName);
> } finally {
> try {
> if (stmt != null) {
> @@ -620,7 +620,7 @@
> Statement stmt = null;
> try {
> stmt = session.connection().createStatement();
> - stmt.execute("SET SCHEMA " + schemaName);
> + stmt.execute("SET SCHEMA " +
escapedSchemaName);
> } finally {
> try {
> if (stmt != null) {
> @@ -648,6 +648,29 @@
> }
>
> /**
> + * Escape schema name depending of the database engine.
> + *
> + * @param schema the schema name to escape
> + * @param context the XWiki context to get database engine identifier
> + * @return the escaped version
> + */
> + protected String escapeSchema(String schema, XWikiContext context)
> + {
> + DatabaseProduct databaseProduct = getDatabaseProductName(context);
> +
> + String escapedSchema;
You should use this instead:
escapedSchema = dialect.openQuote() + schema + dialect.closeQuote();
Ok thanks
I think nobody wants to use ` or " in the wiki name, so there shouldn't
be a need for doubling them.
No sure about that. We have to do something, either remove or properly
escape then otherwise it's not very safe
BTW, SQLServer uses [ ] for quoting.
You mean DB2 ? >
>>>
>>>> + if (DatabaseProduct.MYSQL == databaseProduct) {
>>>> + // MySQL does not use SQL92 escaping syntax by default
>>>> + escapedSchema = "`" +
schema.replace("`", "``") + "`";
>>>> + } else {
>>>> + // Use SQL92 escape syntax
>>>> + escapedSchema = "\"" +
schema.replace("\"", "\"\"") + "\"";
>>>> + }
>>>> +
>>>> + return escapedSchema;
>>>> + }
>>>> +
>>>> + /**
>>>> * Begins a transaction
>>>> *
>>>> * @param context
--
Sergiu Dumitriu
http://purl.org/net/sergiu/