Comments (6)
Hm, I've commented it this afternoon but comment is missing - maybe didn't submit the form.
You wrote ...escaping of escaped text does waste...
thats corrent. If you are 100% sure that SQL injection cannot occure, e.g. the SQL string cames from $sql = $connection->translate()
, you should use %SQL
modifier:
$sql = $db->translate('SELECT * FROM table WHERE ? = ?', 'A', 'A');
$db->query('%SQL', $sql); # dibi does not touch it
But must be 100% sure, otherwise it's an SQL injection gateway.
from dibi.
Unfortunately I can't make it work by not using 'N'. The query is part of contribute datagrid
Can you link the specific query that's causing problem?
from dibi.
If you are 100% sure that SQL injection cannot occure, e.g. the SQL string cames from
$sql = $connection->translate()
, you should use%SQL
modifier:
I cannot do any changes to source of Ublaboo datagrid. The algorythm of questioning is automatic. The query is translated twice. Issue is only on combination UblabooDatagrid->Dibi Fluent->MSSQL
from dibi.
Ublaboo datagrid
Sorry, Ublaboo datagrid renamed to Contribute datagrid. But not totally, so it is little confusing 😁
from dibi.
Can you link the specific query that's causing problem?
I'm afraid I don't understand you. If you mean SQL query, so any query containing apostrophe. Any text value. Datagrid does 2 translations of query, second pass destroys the query. I can't influence this.
from dibi.
I tried to change the regex and callback in Translator.php to identify N before apostrophe. But it is not easy and can't guarantee full functionality of function translate()
. I decided to extend class SqlsrvDriver
with my SqlsrvsitmpDriver
:
<?php
declare(strict_types=1);
namespace Dibi\Drivers;
class SqlsrvsitmpDriver extends SqlsrvDriver implements \Dibi\Driver
{
public function escapeText(string $value): string
{
return "'" . str_replace("'", "''", $value) . "'"; // N removed
}
}
and in configuration use
dibi:
driver: sqlsrvsitmp
Removing N could be parametric - for example by new item in dibi options (UseNvarchar = false
) in configuration. This setting would consume __construct()
method of driver class and pass it to method escapeText(string $value)
by local field. But for my use case is it not necessary.
Milan Tůma
from dibi.
Related Issues (20)
- `MySqliDriver::getResource` throws in PHP 8 instead of returning `null` whe the resource has been closed prior to the call HOT 1
- MySqliDriver: Do not close connection when initialized with a resource (side effect)
- Panel error when using two connections HOT 3
- Possible support for staabm/phpstan-dba
- Split query result by table
- Automatic object to Expression conversion HOT 3
- Alone quote in SQL comment causes SQL translate error HOT 2
- Dibi event performs too many filesystem stat calls HOT 2
- getRowCount with SQLSRV driver HOT 1
- Calling multiple stored procedures subsequently - Commands out of sync; you can't run this command now
- Bug in Dibi\Datetime modify HOT 2
- result->free, mysqli_result object is already closed HOT 1
- Unable to extend `Result` object
- Unable to set the `flags` config via environment variable HOT 2
- Customize profiler log? HOT 3
- SqlsrvDriver: column types are not detected HOT 1
- TypeError: Dibi\Bridges\Tracy\Panel::getConnectionName(): Argument #1 ($connection) must be of type Dibi\Connection, null given
- SQLite3::enableExceptions(false) is deprecated in PHP 8.3 and later HOT 1
- Problem with #[Language('GenericSQL')] attribute
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dibi.