Add support for customized database name with --using #290
Conversation
|
please add tests. There's a pretty big matrix of input to cover here and the tests need to show what's valid and what's not. We need to handle edge cases that could lead to sql injection if we don't escape the name, etc. |
|
do we want to allow the user to provide the db name as a bracketed identifier? In reply to: 1460392606 |
|
if there's a space in the name or the path will the user have to surround the entire parameter with quotes? In reply to: 1460405555 |
|
Yes, add an example with --using with a space in the db name (it works, we tested it) In reply to: 1460405555 |
Is there a way we could change this flag type to a I think the default behavior of StringSlice is to allow the same flag to be used multiple times like #Closed Refers to: cmd/modern/root/install/mssql-base.go:192 in 246bd0e. [](commit_id = 246bd0e, deletion_comment = False) |
We do not support filesystem paths at the moment. Only http and https. But I will add tests to check what happens if such input is intentionally passed. |
I checked with @stuartpa and for now we will only support |
|
per our meeting - make sure you bracket-escape the name before putting it in a SQL query In reply to: 1461812698 |
if databaseName has a ] in it this query becomes a vector for sql injection. Either use a properly parameterized query (go-mssqldb supports parameterized queries) or escape everything appropriately. Refers to: cmd/modern/root/install/mssql-base.go:530 in 7a37b69. [](commit_id = 7a37b69, deletion_comment = False) |
|
We want to incrementally improve the quality of the experience here. There is a quality issue with the experience right now, in that folks don't want to be stuck with the name of the .bak file as the database name. It would improve the experience if we allow a database name to be specified. In the limit we should support a database name that covers the entire input space for T/SQL identifiers, but we don't have to do that in a single PR. It is fine in this PR to limit the input space for the database name so SQL injection is not possible, and enter an issue to widen the input space. What we don't want to see is we end up reducing quality by not thinking through the complete solution for all T/SQL identifier input space in one PR. |
apoorvdeshmukh
force-pushed
the
apoorvdeshmukh/216
branch
from
7a37b69
to
c48b2b9
Compare
|
We should be able to write a functional test for this in the ADO pipeline. ADO hosted agents have docker on them, so the pipeline should be able to use the sqlcmd it builds to run some permutations on In reply to: 1462251401 |
Created #306 to add functional tests for E2E testing scenarios |
This commit adds support for specifying database name with
--usingoption by specifying,DbNameat the end of the URLThis PR closes #216
Example without specifying customized database name, in which case Dbname defaults to the filename without extension
Example with customized database name, in which case Dbname is set to user provided value