Re: [xwiki-devs] [xwiki-notifications] r34718 - platform/core/branches/xwiki-core-2.7/xwiki-core/src/main/java/com/xpn/xwiki/store

Wed, 16 Feb 2011 03:43:12 -0800 

On 02/16/2011 11:50 AM, Thomas Mortagne wrote:
> On Wed, Feb 16, 2011 at 11:36, Sergiu Dumitriu<[email protected]>  wrote:
>> On 02/16/2011 10:09 AM, tmortagne (SVN) wrote:
>>> Author: tmortagne
>>> Date: 2011-02-16 10:09:31 +0100 (Wed, 16 Feb 2011)
>>> New Revision: 34718
>>>
>>> Modified:
>>>      
>>> platform/core/branches/xwiki-core-2.7/xwiki-core/src/main/java/com/xpn/xwiki/store/XWikiHibernateBaseStore.java
>>>      
>>> platform/core/branches/xwiki-core-2.7/xwiki-core/src/main/java/com/xpn/xwiki/store/XWikiHibernateStore.java
>>> Log:
>>> XWIKI-5976: Cannot create subwiki named "lines"
>>> Better (but a lot less elegant...) fix
>>>
>>> Modified: 
>>> platform/core/branches/xwiki-core-2.7/xwiki-core/src/main/java/com/xpn/xwiki/store/XWikiHibernateBaseStore.java
>>> ===================================================================
>>> --- 
>>> platform/core/branches/xwiki-core-2.7/xwiki-core/src/main/java/com/xpn/xwiki/store/XWikiHibernateBaseStore.java
>>>    2011-02-16 09:09:21 UTC (rev 34717)
>>> +++ 
>>> platform/core/branches/xwiki-core-2.7/xwiki-core/src/main/java/com/xpn/xwiki/store/XWikiHibernateBaseStore.java
>>>    2011-02-16 09:09:31 UTC (rev 34718)
>>> @@ -504,7 +504,6 @@
>>>                    }
>>>                } catch (Exception e) {
>>>                }
>>> -            ;
>>>                try {
>>>                    if (bTransaction) {
>>>                        endTransaction(context, true);
>>> @@ -600,13 +599,14 @@
>>>
>>>                    if (context.getDatabase() != null) {
>>>                        String schemaName = getSchemaFromWikiName(context);
>>> +                    String escapedSchemaName = escapeSchema(schemaName, 
>>> context);
>>>
>>>                        DatabaseProduct databaseProduct = 
>>> getDatabaseProductName(context);
>>>                        if (DatabaseProduct.ORACLE == databaseProduct) {
>>>                            Statement stmt = null;
>>>                            try {
>>>                                stmt = 
>>> session.connection().createStatement();
>>> -                            stmt.execute("alter session set current_schema 
>>> = " + schemaName);
>>> +                            stmt.execute("alter session set current_schema 
>>> = " + escapedSchemaName);
>>>                            } finally {
>>>                                try {
>>>                                    if (stmt != null) {
>>> @@ -620,7 +620,7 @@
>>>                            Statement stmt = null;
>>>                            try {
>>>                                stmt = 
>>> session.connection().createStatement();
>>> -                            stmt.execute("SET SCHEMA " + schemaName);
>>> +                            stmt.execute("SET SCHEMA " + 
>>> escapedSchemaName);
>>>                            } finally {
>>>                                try {
>>>                                    if (stmt != null) {
>>> @@ -648,6 +648,29 @@
>>>        }
>>>
>>>        /**
>>> +     * Escape schema name depending of the database engine.
>>> +     *
>>> +     * @param schema the schema name to escape
>>> +     * @param context the XWiki context to get database engine identifier
>>> +     * @return the escaped version
>>> +     */
>>> +    protected String escapeSchema(String schema, XWikiContext context)
>>> +    {
>>> +        DatabaseProduct databaseProduct = getDatabaseProductName(context);
>>> +
>>> +        String escapedSchema;
>>
>> You should use this instead:
>>
>> escapedSchema = dialect.openQuote() + schema + dialect.closeQuote();
>
> Ok thanks
>
>>
>> I think nobody wants to use ` or " in the wiki name, so there shouldn't
>> be a need for doubling them.
>
> No sure about that. We have to do something, either remove or properly
> escape then otherwise it's not very safe

OK, you can double the openQuote() character. For SQLServer dialect you 
have to do it differently, though:

replace("[", "[[]")

Although, simple doubling isn't enough, for example trying to create 
this database will drop the xyz database:

x\`; drop database xyz; \`

turns into:

create database `x\``; drop database xxx; \```;

which fails to create the first database (invalid name), drops the 
second database, and fails to execute the ` command. I tested it on the 
mysql console, not through Hibernate.

>>
>> BTW, SQLServer uses [ ] for quoting.
>
> You mean DB2 ?

I mean Microsoft's SQL Server, their complete lack of imagination makes 
it hard to distinguish their product.

>>
>>> +        if (DatabaseProduct.MYSQL == databaseProduct) {
>>> +            // MySQL does not use SQL92 escaping syntax by default
>>> +            escapedSchema = "`" + schema.replace("`", "``") + "`";
>>> +        } else {
>>> +            // Use SQL92 escape syntax
>>> +            escapedSchema = "\"" + schema.replace("\"", "\"\"") + "\"";
>>> +        }
>>> +
>>> +        return escapedSchema;
>>> +    }
>>> +
>>> +    /**
>>>         * Begins a transaction
>>>         *
>>>         * @param context


-- 
Sergiu Dumitriu
http://purl.org/net/sergiu/
_______________________________________________
devs mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/devs

Reply via email to