Sam Varshavchik wrote: > Alessandro Vesely writes: >> Sam Varshavchik wrote: >>> Alessandro Vesely writes: >>> >>>> >>>> * use mysql escape function also in a number of other places; the >>>> MySQL team took years to get it straight... >>> >>> Well, I don't think they got it right. There's no bounds checking in >>> mysql_real_escape_string! The documentation claims you just need to >>> provide enough room at least twice as long as the string length, but >>> then there are also some vague comments regarding the interaction of >>> this function with the locale's character set, which leaves me with a >>> somewhat uneasy feeling. >> >> Since they require 2*length+1, I assume they check that bound. I don't >> know the details of the implementation, but doubling seems quite >> enough. Even if mysql_real_escape_string() cannot fail, its output >> will eventually be parsed using some other function which is >> supposedly aware about what the former might have done. > > I looked at MySQL's source. Their code assumes that the buffer passed to > mysql_real_escape_string is sized twice the size of the input buffer, > plus one byte, and the code checks for overflow.
Great, thank you for confirming that. > Still, the original > patch looks to be too complicated than it needs to be, I agree to some extent. I tried and built something that works seamlessly in most cases, and the result is sub-optimal for the remaining ones. The more I think about it, the more I get convinced that an _authmysql2_ module would better suit Courier's architecture and style. I mentioned that on 21 April, along with the quoted names question. > so I'll need to do this myself. I did not work on a second patch since then, also because I'm late at some other stuff (as usual...) However, I could try again if you'd like and provide some more feedback, unless you start working on that before I can find some spare time. ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
