|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: MaxDB applications and client don't quote identifiers
From: Sven Köhler (skoehler
upb.de)
Date: Thu Feb 03 2005 - 06:59:35 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> yes, the quoting and unquoting of username and password is an old
> burden, and I would say doing it in clean while having all needed
> backward compatibility is nearly impossible.
That true. That's why you _should_ make a break someday. I see that and
why you want to stay backward compatible, although is it foolish to want
to stay compatible with a
Below, there may be a solution for you.
>>CREATE USER myuser PASSWORD mypass
>
> From the database side, username and password are treated as special
> identifiers (!) that is, they must obey the syntax rules for
> specifying identifiers like table names. Thus, the same quoting
> rules as for identifiers apply - names are upper-ed except if quoted
> with double quotes.
I know.
>>For the future i would suggest the following:
>>- fix the function in SQLDBC that quotes identifiers, to handle "
>>correctly (or intruduce a function if there is none yet)
>
> Possibly PHP should make it possible to supply "quoted" username and password,
> and upper the unquoted one ... at least according to our own rules :-)
>
> http://dev.mysql.com/doc/maxdb/en/09/ab35406ee32e34e10000000a155106/content.htm
Database-Clients should _always_ safely embed identifiers into
SQL-Statements. At least there is the possibility, to write a "re-quote"
function, that does the following:
identifier -> re-quoted identifier
test -> "TEST"
te st -> "TE ST"
te"st -> "TE""ST"
"test" -> "test"
"te st" -> "te st"
"te"st" -> error and/or "TE""ST"
"te""st"-> "te""st"
This function should:
1. check for a quoted identifier by checking for the "" at both ends of
the String
2. if the identifier is NOT quoted, uppercase it, put quotes around the
identifier and return
3. if the identifier is quoted, that check the quoting and either repair
it, or throw/return an error
It essiential, that you safely embed identifiers into SQL-Statements, no
matter how. If you chose to stay backward-compatible, well, than do it,
but quote the identifiers ;-)
Thx
Sven
--
MaxDB Discussion Mailing List
For list archives: http://lists.mysql.com/maxdb
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]