-
Notifications
You must be signed in to change notification settings - Fork 300
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add escaping for SQL characters #3
Comments
Is there any workaround for this in the current version? |
Not currently, except to escape the characters on the result query string itself. I've been dragging my feet on doing this but if it's a blocker for you let me know and I can take care of it. |
@twheys thanks for the suggestion! I think it would definitely help to have this supported. If it's fairly straightforward, I can also take a stab at it and make a PR if you'd like. |
Yeah if you have time to do it, your contribution would be greatly appreciated 👍 There are some comments in different places in the code with TODOs where it the escaping should be applied |
I can't make any promises at the moment; I'm no longer working on the project that requires this 🙈 |
No worries |
@twheys How would you implement this? One way is to make sure all methods that receive inputs are validating it (escaping) - very prone to error on extension (someone may forget...) The other method is to escape everything on Do you have a preferred way (possibly something else)? |
There's a couple of places where it needs to be done. Basically, anywhere a parameter is taken that ends up rendered in the query. For example, table names and schemas, |
@twheys I may be able to spend time on it this weekend or the next one. Do you have any guidelines on how to do it? Honestly, I think this is crucial for this library to be usable for any interaction with input from the real world. For now I'm thinking the same as you - any place that takes an argument from the user has to apply an escape function. This is the "naive" way but it really messes up the code's extensibility because now everyone has to do it. I would prefer to escape when doing the |
@reutsharabani sorry I didn't reply before the weekend. I don't have a particular solution in mind. I think the problem might be more complicated that it first appears, though, perhaps not. My thoughts were to make an escape function that replaced any special characters such as |
@twheys no problem. I think a custom escape function is meaningless. The functions are usually exposed by the drivers so just take it as an argument. I strongly suggest it to be at a single point that everything passes through, Otherwise it is hard to maintain (scattered around the code). About escaping pypika internals - my idea was applying it at a single point before doing something with the values. If the values are mutated before that point it obviously won't work. I will probably take a look at the weekend to get familiar with the code and see if I come up with something. |
I think that there is two different ways to harden the query:
I feel we should definitely do 1, and it would be different for each dialect. e.g. MySQL uses ` (backtick), etc... We can get away with this as identifiers have a limited character set. We also must do it as there is no other way. I feel we should not attempt 2, and find a way to treat data as binary instead (as in parametrized queries) as that is the only recommended way in most systems to access a database, as the data goes in a separate data structure. |
Gonna close this since parametrized queries perform this role. |
Any input into pypika should escape invalid characters. This includes table names, field names, and values.
The text was updated successfully, but these errors were encountered: