Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MySQL EXTRACTVALUE not working with special characters #396

Open
alexander-schranz opened this issue Dec 14, 2021 · 5 comments
Open

MySQL EXTRACTVALUE not working with special characters #396

alexander-schranz opened this issue Dec 14, 2021 · 5 comments

Comments

@alexander-schranz
Copy link
Contributor

alexander-schranz commented Dec 14, 2021
edited

Currently the XML Property names are written the following way into MySQL:

<sv:property sv:name="val&quot;ue">

another valid xml struct for this would be

<sv:property sv:name='val"ue'>

As mysql itself seems not convert &quot; to " it currently can not match in the query. Example the following SQL will not work in both cases:

SET @xmlPointer = '//sv:property[@sv:name=concat("val", concat(''"'', "ue"))]/sv:value[1]';
SELECT EXTRACTVALUE('<sv:property sv:name=\'val"ue\'><sv:value length="3">BBB</sv:value></sv:property>', @xmlPointer); // works
SELECT EXTRACTVALUE('<sv:property sv:name="val&quot;ue"><sv:value length="3">BBB</sv:value></sv:property>', @xmlPointer); // doesnt work

Currently a test testing a property named with val"ue" is skipped because of this.

jackalope-doctrine-dbal/tests/Jackalope/Transport/DoctrineDBAL/ClientTest.php

Lines 541 to 543 in f3107ac

[MySQLPlatform::class]
// see https://stackoverflow.com/questions/70339679/use-extractvalue-against-correctly-escaped-xml-attribute-value-in-mysql
// currently mysql does not escape 'val"ue' the same was as "val&quot;ue" so the test fails

I also created a stackoverflow question how this could maybe be solved: https://stackoverflow.com/questions/70339679/use-extractvalue-against-correctly-escaped-xml-attribute-value-in-mysql
@dbu
Copy link
Member

dbu commented Dec 14, 2021

could we convert " to &quot; in the query for mysql, or does that have other side effects?

@alexander-schranz
Copy link
Contributor Author

@dbu I'm afraid currently doing that, because maybe it will behave differently in MySQL 8 or in future MySQL versions.

@dbu
Copy link
Member

dbu commented Apr 29, 2022

in the mid-term i hope to release a version 2 of the jackalope ecosystem. mostly with cleanups like parameter and return type declarations and other such modern PHP improvements.

that might be a good opportunity to do BC breaking changes. do you think we could do something here to make things work reliably?

@alexander-schranz
Copy link
Contributor Author

alexander-schranz commented Apr 29, 2022
edited

We didn't yet stumble over it in a project, and it was never reported to use yet, so this issue isnt important for us at current state. I did just stumble over it while writing the tests for the sql injection issue that mysql behave here strange. But if it is easy possible to write 'val"ue' instead of "val&quot;ue", not sure if there is any flag in XML lib to achieve that, it would be a good solution for the 2.0 then. But as said it is not a important issue on our side yet. We didn't had yet any usecase to filter something with a double quote in it yet.

@dbu
Copy link
Member

dbu commented Apr 29, 2022

thanks. yeah lets keep it open in case somebody runs into problems because of this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dbu @alexander-schranz