Page MenuHomePhabricator
Create Task
Maniphest T57427

DatabaseMysqlBase::addIdentifierQuotes does not properly escape
Closed, ResolvedPublic
Actions

Description

DatabaseBase::addIdentifierQuotes escapes strings for use as an identifier before quoting them. However, DatabaseMysqlBase::addIdentifierQuotes uses a different type of quote (backticks) because of MySQL behavior.

Despite this, it still applies default escaping. If any database identifiers happen to have bad characters in them (highly unlikely, but a possibility), then it would cause a problem.

This would involve fixing DatabaseMysqlBase to escape the proper characters rather than just calling strencode like it does now.

Version: 1.22.0
Severity: normal

Details

Reference
bz55427

Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 2:13 AM
bzimport added a project: MediaWiki-libs-Rdbms.
bzimport set Reference to bz55427.
bzimport added a subscriber: Unknown Object (MLST).
Parent5446 created this task.Oct 7 2013, 5:54 PM
gerritbot added a comment.Oct 8 2013, 6:41 PM

Change 88533 had a related patch set uploaded by BryanDavis:
Escape backticks when quoting MySQL identifiers

https://gerrit.wikimedia.org/r/88533

gerritbot added a comment.Oct 9 2013, 10:12 PM

Change 88533 merged by jenkins-bot:
Escape backticks when quoting MySQL identifiers

https://gerrit.wikimedia.org/r/88533

Addshore added a comment.Nov 5 2013, 10:48 AM

Is this resolved as the patch is merged?

Krenair added a comment.Aug 29 2014, 7:15 PM
  • Bug 40959 has been marked as a duplicate of this bug. ***
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL