Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replace usage of "addslashes" with prepared statements #16708

Closed
wants to merge 1 commit into from
Closed

Replace usage of "addslashes" with prepared statements #16708

wants to merge 1 commit into from

Conversation

tianon
Copy link

@tianon tianon commented Aug 10, 2019

As referenced in #15187 (comment), #11311, #1260.

I figured opening a PR was a better (concrete) way to open a discussion around this. 😄 ❤️

I'm not actually a user of nextcloud, so I'm not 100% sure what to do to test this effectively, but I'm willing to give it a shot (although it appears there might be CI that does so already?).

@tianon
Copy link
Author

tianon commented Aug 10, 2019

I guess Error while trying to create admin user: Failed to connect to the database: An exception occurred in driver: SQLSTATE[08006] [7] FATAL: password authentication failed for user "oc_admin" 13 is the answer to why this is using addslashes instead of prepared statements, although addslashes isn't exactly right either. 😞

@kesselb
Copy link
Contributor

kesselb commented Aug 11, 2019

I guess Error while trying to create admin user: Failed to connect to the database: An exception occurred in driver: SQLSTATE[08006] [7] FATAL: password authentication failed for user "oc_admin" 13

:pass should be in single quotes (check the examples here: https://www.postgresql.org/docs/9.6/sql-createrole.html).

@@ -152,11 +152,11 @@ private function createDBUser(IDBConnection $connection) {
}

// create the user
$query = $connection->prepare("CREATE USER " . addslashes($this->dbUser) . " CREATEDB PASSWORD '" . addslashes($this->dbPassword) . "'");
$query->execute();
$query = $connection->prepare('CREATE USER :user CREATEDB PASSWORD :pass');
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
$query = $connection->prepare('CREATE USER :user CREATEDB PASSWORD :pass');
$query = $connection->prepare('CREATE USER :user CREATEDB PASSWORD \':pass\'');

or with double quotes for the sql statment and single quotes for pass.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a prepared statement, so the quotes are added automatically.

I believe the issue is that the username is getting quoted like a normal string but actually requires a different type of quoting.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a prepared statement, so the quotes are added automatically.

Right ;)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think https://stackoverflow.com/a/18901826/433558 is the answer; I'll switch :user out for pg_escape_identifier as soon as I get a chance.

@kesselb
Copy link
Contributor

kesselb commented Aug 17, 2019

Ref #13318

@rullzer
Copy link
Member

rullzer commented Aug 19, 2019

@icewind1991 as you use postgres reguraly

@kesselb
Copy link
Contributor

kesselb commented Jan 16, 2020

Hello @icewind1991 ;)

@skjnldsv
Copy link
Member

skjnldsv commented Sep 9, 2020

PIng!

@skjnldsv skjnldsv linked an issue Sep 9, 2020 that may be closed by this pull request
@J0WI J0WI requested a review from icewind1991 September 10, 2020 12:35
@J0WI J0WI requested review from icewind1991 and removed request for icewind1991 April 28, 2021 11:59
@J0WI
Copy link
Contributor

J0WI commented Apr 28, 2021

Could anyone else help out here if @icewind1991 is not available? @nextcloud/server-triage

@J0WI J0WI added this to the Nextcloud 22 milestone Apr 28, 2021
This was referenced May 20, 2021
@blizzz blizzz mentioned this pull request Jun 2, 2021
57 tasks
@blizzz blizzz requested a review from LukasReschke June 2, 2021 15:48
@MorrisJobke MorrisJobke mentioned this pull request Jun 10, 2021
59 tasks
This was referenced Jun 16, 2021
@blizzz
Copy link
Member

blizzz commented Jun 23, 2021

what's the state here? Should it be moved to 23?

@tianon
Copy link
Author

tianon commented Jun 23, 2021 via email

@blizzz blizzz removed this from the Nextcloud 22 milestone Jun 23, 2021
@blizzz blizzz added this to the Nextcloud 23 milestone Jun 23, 2021
@skjnldsv skjnldsv mentioned this pull request Oct 13, 2021
@skjnldsv
Copy link
Member

/rebase

…_literal

Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
@skjnldsv
Copy link
Member

Tests are failing

@skjnldsv skjnldsv added 2. developing Work in progress and removed 3. to review Waiting for reviews labels Oct 22, 2021
@skjnldsv skjnldsv modified the milestones: Nextcloud 23, Nextcloud 24 Oct 22, 2021
@tianon
Copy link
Author

tianon commented Oct 22, 2021

Yeah, this was (I guess vainly) hoping someone else would care enough to take over and figure out what's going wrong and how to fix it correctly -- I'm going to close for now, but if anyone else wants to pick this back up, feel free to start with my commit if it's helpful!

@tianon tianon closed this Oct 22, 2021
@tianon tianon deleted the addslashes branch October 22, 2021 16:30
@MichaIng MichaIng removed this from the Nextcloud 24 milestone Jan 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

When postgres is used, the setup fails if username contains a dash
8 participants