Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

engine增加escape_string用于处理字符串参数转义 #2107

Merged
merged 1 commit into from
Apr 1, 2023

Conversation

hhyo
Copy link
Owner

@hhyo hhyo commented Mar 31, 2023

增加 mysql、clickhouse的参数转义,适用于库、表等用户参数处理

相关pr:#2062

@hhyo hhyo force-pushed the fix_sql_injection branch from c5866d4 to 0a5f61f Compare March 31, 2023 15:50
@codecov
Copy link

codecov bot commented Mar 31, 2023

Codecov Report

Patch coverage: 50.00% and project coverage change: -0.02 ⚠️

Comparison is base (f275b56) 75.51% compared to head (84cd292) 75.50%.

Additional details and impacted files
@@            Coverage Diff             @@
##           master    #2107      +/-   ##
==========================================
- Coverage   75.51%   75.50%   -0.02%     
==========================================
  Files         102      102              
  Lines       14910    14928      +18     
==========================================
+ Hits        11259    11271      +12     
- Misses       3651     3657       +6     
Impacted Files Coverage Δ
sql/instance_database.py 19.10% <0.00%> (ø)
sql/sql_optimize.py 58.37% <0.00%> (-0.87%) ⬇️
sql/tests.py 98.88% <ø> (ø)
sql_api/api_instance.py 69.49% <0.00%> (ø)
sql/instance.py 51.58% <25.00%> (-0.27%) ⬇️
sql/engines/mysql.py 78.29% <40.00%> (+0.12%) ⬆️
sql/engines/clickhouse.py 71.42% <66.66%> (-0.06%) ⬇️
sql/data_dictionary.py 100.00% <100.00%> (ø)
sql/engines/__init__.py 67.74% <100.00%> (+0.70%) ⬆️
sql/sql_tuning.py 95.65% <100.00%> (ø)
... and 1 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@hhyo hhyo force-pushed the fix_sql_injection branch from 0a5f61f to 84cd292 Compare March 31, 2023 16:18
@hhyo hhyo requested a review from LeoQuote April 1, 2023 06:11
@LeoQuote
Copy link
Collaborator

LeoQuote commented Apr 1, 2023

mysql 那部分参数化的代码,应该也可以用,要不要都加?

https://github.com/hhyo/Archery/pull/2062/files#diff-499072d6ba31c3e648e56b64570a2c700c644332806e738a4207b04988f5e69e

@hhyo
Copy link
Owner Author

hhyo commented Apr 1, 2023

mysql 那部分参数化的代码,应该也可以用,要不要都加?

https://github.com/hhyo/Archery/pull/2062/files#diff-499072d6ba31c3e648e56b64570a2c700c644332806e738a4207b04988f5e69e

可以加,不冲突,分两个pr,这个要不就叫新增参数化支持,可以不涉及注入相关调整,就把支持的引擎统一新增执行参数支持

@LeoQuote
Copy link
Collaborator

LeoQuote commented Apr 1, 2023

也行, 那新开一个pr 吧, 这个你先 merge

Copy link
Collaborator

@LeoQuote LeoQuote left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@hhyo hhyo merged commit e2573b7 into master Apr 1, 2023
@hhyo hhyo deleted the fix_sql_injection branch April 1, 2023 12:31
@hhyo
Copy link
Owner Author

hhyo commented Apr 1, 2023

也行, 那新开一个pr 吧, 这个你先 merge

可以直接在公有项目开pr,私有分支这边删除了,pg的琢磨半天也只能调整为参数化形式

@hhyo
Copy link
Owner Author

hhyo commented Apr 1, 2023

发现clickhouse也一样,这些内置转义方法都是用于参数化处理的,不能和字符串格式化混用,你先提交MySQL的参数化pr,合并后,后续其他engine我这边统一处理下

hhyo added a commit that referenced this pull request Apr 1, 2023
hhyo added a commit that referenced this pull request Apr 1, 2023
Revert "engine增加escape_string用于处理字符串参数转义 (#2107)"

This reverts commit e2573b7.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants