New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUGFIX] escape database-username and -password in options-file created by mysql-command (branch latest) #965
Conversation
Hm, evidently the backtick is not covered:
Since this is one of the usecases you mentioned, it won't be fixed with this change alone ... |
@mbrodala The single tick does not need to be escaped … I wrote double-tick (``), but meant double-quote ("). I updated the description … |
@mbrodala Maybe we should simply |
Thanks for the PRs!
In this little thread there already is confusion which characters need to be escaped and which not. If I get the docs right, then only backslashes need to be escaped, because they might start a vaild escaping sequence and quotes must be escaped, because the value can be enclosed in single or double quotes. Since we enclose the value with double quotes already, we must encode backslashes and double quotes Correct would be: $userDefinition = sprintf('user="%s"', addcslashes($this->dbConfig['user'], '\\"'));
As argued above: If encoding is applied then it must be 100% correct, otherwise it is as buggy as before or sometimes even more harmful |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See comments in the PR how this needs to be changed
@helhum I got something wrong, and you're right. It's not about proper support for escape-sequences - |
I'll update my PR this afternoon … |
6a28c3c
to
f14bf1d
Compare
After reading the docs regarding |
One more question: Are going to accept the other two related PR's too?
I would appreciate this very much … |
Thanks! |
Thank you! … |
This PR applies to your
latest
-branch, other PRs for your other active branches follow.Issue: Database-credentials are not properly escaped when writing the
--defaults-extra-file
. Usernames or passwords with backslashes (\) and double-quotes (") won't work.Solution: use
addslashes()
to escape username and password.Hence, the MySQL option-files escaping-rules are not 100%
addslashes()
compatible, but usingaddslashes()
solves 99% of the escaping-issues for now.Cheers & Thanks,
Stephan