Alessandro Vesely writes:
Sam Varshavchik wrote:Alessandro Vesely writes:Sam Varshavchik wrote:Alessandro Vesely writes:* use mysql escape function also in a number of other places; the MySQL team took years to get it straight...Well, I don't think they got it right. There's no bounds checking in mysql_real_escape_string! The documentation claims you just need to provide enough room at least twice as long as the string length, but then there are also some vague comments regarding the interaction of this function with the locale's character set, which leaves me with a somewhat uneasy feeling.Since they require 2*length+1, I assume they check that bound. I don't know the details of the implementation, but doubling seems quite enough. Even if mysql_real_escape_string() cannot fail, its output will eventually be parsed using some other function which is supposedly aware about what the former might have done.I looked at MySQL's source. Their code assumes that the buffer passed to mysql_real_escape_string is sized twice the size of the input buffer, plus one byte, and the code checks for overflow.Great, thank you for confirming that.Still, the original patch looks to be too complicated than it needs to be,I agree to some extent. I tried and built something that works seamlessly in most cases, and the result is sub-optimal for the remaining ones.The more I think about it, the more I get convinced that an _authmysql2_ module would better suit Courier's architecture and style. I mentioned that on 21 April, along with the quoted names question.so I'll need to do this myself.I did not work on a second patch since then, also because I'm late at some other stuff (as usual...) However, I could try again if you'd like and provide some more feedback, unless you start working on that before I can find some spare time.
I'm going to try to put together a test build in a day, or so. Testing it would be useful.
pgpaDsRf0FTTb.pgp
Description: PGP signature
------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
