Re: [Monotone-devel] [PATCH] New typesafe VA_ARGS replacement for database with operator % style

[Nathaniel Smith]

On Tue, Jan 24, 2006 at 07:07:19PM -0600, Glen Ditchfield wrote:
> On Tuesday 24 January 2006 15:43, Christof Petig wrote:
> > This is not an issue here since query and parameter are passed seperated
> > to the database. (And the parameter is not parsed).
> 
> But does that ensure that the right thing will happen if the parameter has a 
> single quote in it?

Yes.  ? parameters do not involve any sort of string substitution;
they are parsed directly as part of the SQL syntax, and basically act
to leave a placeholder in the _parsed_ and compiled statement.  When
we then bind a value to them, this value is attached directly to this
placeholder in the compiled virtual machine function.  The parser
never gets near them; they are treated as simple binary data.

> By the way, here is what monotone 0.23 on SuSE 9.2 does in one case:
>   [~]$ monotone ls certs a:o\'toole
>   monotone: expanding selection 'a:o'toole'
>   monotone: error: sqlite error: 1: near "toole": syntax error
>   monotone: error: make sure database and containing directory are writeable

Yes; this is a bug, and mentioned at
   http://venge.net/monotone/quickies.html
The one place where we generate SQL by building up strings is in the
selector code, where we generate some somewhat complex WHERE clauses
to do multiple selector tests at once.  Because we don't use the ?
bind parameters functionality here, it is vulnerable to this kind of
quoting bug.  All the rest of the db interaction uses ? parameters,
though.

-- Nathaniel

-- 
"...these, like all words, have single, decontextualized meanings: everyone
knows what each of these words means, everyone knows what constitutes an
instance of each of their referents.  Language is fixed.  Meaning is
certain.  Santa Claus comes down the chimney at midnight on December 24."
  -- The Language War, Robin Lakoff