Re: [Pdns-users] PDNS + MySQL results not un-escaped?
Hi List, maybe there's a misunderstanding here on my side but mysql_real_escape_string() still adds backslashes to some special chars (like ' or and \), doesnt it? That would probably not affect the case of escaping a semicolon like stated below. But what happens if theres a TXT record contaning ', or \? PowerDNS would still retrieve those strings as they are and deliver the record including the escape-backslashes. Does anyone know how other database backends for powerdns or other nameservers with DB backends handle this scenario? On Wed, 06 Jan 2010 13:27:31 -0500, Patrick Domack patric...@patrickdk.com wrote: Most people have solved this issue awhile ago, but some people never upgrade or review documentation, so here is the things I would check. Sounds like this is php, so: Make sure magic_quotes_gpc is not on in php.ini, or by other means Make sure the php program isn't using add_slashes If it is using add_slashes, replace with mysql_real_escape_string Quoting Michael p...@nettrust.co.nz: On Wed, 06 Jan 2010 21:56:08 you wrote: Hi Michael When I enter a DKIM or Domain Keys record, which requires use of ';', the records on the secondary name server have this character escaped with '\', as to be expected. As this character has a special meaning in MySQL I would think the simple answer would be to unescape it prior to returning the RR. This is a common misunderstanding of web developers that escaping in MySQL is done by adding backslashes. Instead, escaping is done by calling mysql_real_escape(), which prepares the string to be save when storing it to the database but when fetching the string again, it will be the same as before calling mysql_real_escape(). Therefore, if a web application adds backslashes it corrupts the record and this has to be considered as bug of the web application. Ok, so is there any downside to adding an unescape to the code and could this be done by the programmers? I didn't write the web based SQL admin... I use the proper MySQL function in my own code, but I am not rewriting the web based admin... ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users -- Mit freundlichen Grüßen / with kind regards Rudolph Bott ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PDNS + MySQL results not un-escaped?
Hi Rudolph maybe there's a misunderstanding here on my side but mysql_real_escape_string() still adds backslashes to some special chars (like ' or and \), doesnt it? That would probably not affect the case of escaping a semicolon like stated below. Yes, it does but that's a MySQL specific behaviour and all other databases don't do this. SQL ANSI escaping only duplicates single quotes. Example: mysql_real_escape( \ ; ' ) - \\ ; \' \ Nevertheless, no backslashes are added to semicolons. But what happens if theres a TXT record contaning ', or \? PowerDNS would still retrieve those strings as they are and deliver the record including the escape-backslashes. I've done a short test what happens. The result is that we get the original string back: \ ; ' So there will be no problem when using mysql_real_escape(). Does anyone know how other database backends for powerdns or other nameservers with DB backends handle this scenario? The PowerDNS opendbx backend uses the odbx_escape() function from the OpenDBX library which uses the escape functions of the client database libraries or if there's no client escape function available provides it's own one which does ANSI escaping (duplicating single quotes). The other database backends use the native escape functions as I remember correctly. I think that we are save from the PowerDNS and the database side but if a management applications inserts corrupted records, the problem must be fixed in these applications. Norbert -- OpenPGP public key http://www.linuxnetworks.de/norbert.pubkey.asc signature.asc Description: This is a digitally signed message part. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PDNS + MySQL results not un-escaped?
I think your confusing escaping. Escaping in mysql isn't stored in the database, it's only to pass it though to the server. The mysql server removed the escaping, before it stored it, so when you read it, it's clean and ready to be used. This causes issues as to what needs to be escaped, cause if you escape everything, mysql won't remove it from everything, and some will be left behind, like with your ; This is what mysql_real_escape_string is for. I will ask the server what needs to be escaped, based on the current charset selected and encoded being used, and escape those. Quoting Rudolph Bott r...@knurps.org: Hi List, maybe there's a misunderstanding here on my side but mysql_real_escape_string() still adds backslashes to some special chars (like ' or and \), doesnt it? That would probably not affect the case of escaping a semicolon like stated below. But what happens if theres a TXT record contaning ', or \? PowerDNS would still retrieve those strings as they are and deliver the record including the escape-backslashes. Does anyone know how other database backends for powerdns or other nameservers with DB backends handle this scenario? On Wed, 06 Jan 2010 13:27:31 -0500, Patrick Domack patric...@patrickdk.com wrote: Most people have solved this issue awhile ago, but some people never upgrade or review documentation, so here is the things I would check. Sounds like this is php, so: Make sure magic_quotes_gpc is not on in php.ini, or by other means Make sure the php program isn't using add_slashes If it is using add_slashes, replace with mysql_real_escape_string Quoting Michael p...@nettrust.co.nz: On Wed, 06 Jan 2010 21:56:08 you wrote: Hi Michael When I enter a DKIM or Domain Keys record, which requires use of ';', the records on the secondary name server have this character escaped with '\', as to be expected. As this character has a special meaning in MySQL I would think the simple answer would be to unescape it prior to returning the RR. This is a common misunderstanding of web developers that escaping in MySQL is done by adding backslashes. Instead, escaping is done by calling mysql_real_escape(), which prepares the string to be save when storing it to the database but when fetching the string again, it will be the same as before calling mysql_real_escape(). Therefore, if a web application adds backslashes it corrupts the record and this has to be considered as bug of the web application. Ok, so is there any downside to adding an unescape to the code and could this be done by the programmers? I didn't write the web based SQL admin... I use the proper MySQL function in my own code, but I am not rewriting the web based admin... ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users -- Mit freundlichen Grüßen / with kind regards Rudolph Bott ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PDNS + MySQL results not un-escaped?
On Wed, 06 Jan 2010 21:56:08 you wrote: Hi Michael When I enter a DKIM or Domain Keys record, which requires use of ';', the records on the secondary name server have this character escaped with '\', as to be expected. As this character has a special meaning in MySQL I would think the simple answer would be to unescape it prior to returning the RR. This is a common misunderstanding of web developers that escaping in MySQL is done by adding backslashes. Instead, escaping is done by calling mysql_real_escape(), which prepares the string to be save when storing it to the database but when fetching the string again, it will be the same as before calling mysql_real_escape(). Therefore, if a web application adds backslashes it corrupts the record and this has to be considered as bug of the web application. Ok, so is there any downside to adding an unescape to the code and could this be done by the programmers? I didn't write the web based SQL admin... I use the proper MySQL function in my own code, but I am not rewriting the web based admin... ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PDNS + MySQL results not un-escaped?
Most people have solved this issue awhile ago, but some people never upgrade or review documentation, so here is the things I would check. Sounds like this is php, so: Make sure magic_quotes_gpc is not on in php.ini, or by other means Make sure the php program isn't using add_slashes If it is using add_slashes, replace with mysql_real_escape_string Quoting Michael p...@nettrust.co.nz: On Wed, 06 Jan 2010 21:56:08 you wrote: Hi Michael When I enter a DKIM or Domain Keys record, which requires use of ';', the records on the secondary name server have this character escaped with '\', as to be expected. As this character has a special meaning in MySQL I would think the simple answer would be to unescape it prior to returning the RR. This is a common misunderstanding of web developers that escaping in MySQL is done by adding backslashes. Instead, escaping is done by calling mysql_real_escape(), which prepares the string to be save when storing it to the database but when fetching the string again, it will be the same as before calling mysql_real_escape(). Therefore, if a web application adds backslashes it corrupts the record and this has to be considered as bug of the web application. Ok, so is there any downside to adding an unescape to the code and could this be done by the programmers? I didn't write the web based SQL admin... I use the proper MySQL function in my own code, but I am not rewriting the web based admin... ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] PDNS + MySQL results not un-escaped?
Hello all, First time poster, long time SysAdmin :-) intending to convert from Bind. I have just noticed that PDNS with GMySQL back end does not seem to un-escape result records. Popular MySQL web based admin programs always escape entered data, and certainly I can't think of any rational not to. However when I go and look on my slave server (running Bind) I see that some TXT slave records are escaped rendering them invalid. I have searched the MySQL site and I can't find a function to unescape the data within the query, so as far as I can see it isn't just a simple matter of rewriting the queries. Has someone else found this and if so what did they do about it? Is this an oversight within the module or do I need to fix something? Thanks, Michael ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users