On Tue, Jan 24, 2006 at 07:07:19PM -0600, Glen Ditchfield wrote: > On Tuesday 24 January 2006 15:43, Christof Petig wrote: > > This is not an issue here since query and parameter are passed seperated > > to the database. (And the parameter is not parsed). > > But does that ensure that the right thing will happen if the parameter has a > single quote in it?
Yes. ? parameters do not involve any sort of string substitution; they are parsed directly as part of the SQL syntax, and basically act to leave a placeholder in the _parsed_ and compiled statement. When we then bind a value to them, this value is attached directly to this placeholder in the compiled virtual machine function. The parser never gets near them; they are treated as simple binary data. > By the way, here is what monotone 0.23 on SuSE 9.2 does in one case: > [~]$ monotone ls certs a:o\'toole > monotone: expanding selection 'a:o'toole' > monotone: error: sqlite error: 1: near "toole": syntax error > monotone: error: make sure database and containing directory are writeable Yes; this is a bug, and mentioned at http://venge.net/monotone/quickies.html The one place where we generate SQL by building up strings is in the selector code, where we generate some somewhat complex WHERE clauses to do multiple selector tests at once. Because we don't use the ? bind parameters functionality here, it is vulnerable to this kind of quoting bug. All the rest of the db interaction uses ? parameters, though. -- Nathaniel -- "...these, like all words, have single, decontextualized meanings: everyone knows what each of these words means, everyone knows what constitutes an instance of each of their referents. Language is fixed. Meaning is certain. Santa Claus comes down the chimney at midnight on December 24." -- The Language War, Robin Lakoff _______________________________________________ Monotone-devel mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/monotone-devel
