ensure we properly escape such that special characters will work #6
Conversation
solvable_files.sh
Outdated
| @@ -34,7 +34,8 @@ function correct_mtime() { | |||
| username=$(dirname "$username") | |||
| done | |||
|
|
|||
| relative_filepath_without_username="${relative_filepath/#$username\//}" | |||
| first_relative_filepath_without_username="${relative_filepath/#$username\//}" | |||
| relative_filepath_without_username=`echo $first_relative_filepath_without_username | sed "s/\"/\\\\\\\\\"/g"` | |||
There was a problem hiding this comment.
I don't get the sed command
There was a problem hiding this comment.
this is about escaping double quotes such that when we execute the sql command via command line they are not confused with the delimitors
this is to handle the extreme case where double quotes would happen inside the file name
There was a problem hiding this comment.
But why so many \ ?
s/\"/\\\\\\\\\"/g would replace " by \\\\", no?
And lets use proper naming:
first_relative_filepath_without_username => relative_filepath_without_username
relative_filepath_without_username => relative_filepath_without_username_escaped
| relative_filepath_without_username=`echo $first_relative_filepath_without_username | sed "s/\"/\\\\\\\\\"/g"` | |
| relative_filepath_without_username="${relative_filepath/#$username\//}" | |
| relative_filepath_without_username_escaped=`echo $relative_filepath_without_username | sed "s/\"/\\\\\\\\\"/g"` |
There was a problem hiding this comment.
I can only say that without that many \ it was not working
my understanding is that you get those three times through different shells and thus we need that many of them
I will fix the naming
There was a problem hiding this comment.
I remember testing a filename with a quote in it and it was working fine, so I am not sure it is necessary to do that. I will retest on Monday.
There was a problem hiding this comment.
An error with single quotes seem more likely
There was a problem hiding this comment.
yes this is the reason to use double quotes to escape the string when calling mysql or psql
There was a problem hiding this comment.
Using base64 might be safer:
INSERT INTO active_records (password) VALUES (FROM_BASE64('$(echo -n $PASSWORD|base64)'))From: https://stackoverflow.com/questions/4383135/escaping-mysql-command-lines-via-bash-scripting
There was a problem hiding this comment.
yeah why not
it took me a while to understand the idea and yes it looks like it should be less hacky
There was a problem hiding this comment.
@artonge I have applied the base64 solution
mgallien
force-pushed
the
handleSpecialCharacters
branch
from
acbaa52 to
8cdbb08
Compare
|
Latest patch version is not working with pgsql. Filenames are interpreted as column name instead of value. |
|
For postgresql, sed escaping is unnecessary. What works for me is: mtime_in_db=$(
psql \
"postgresql://$db_user:$db_pwd@$db_host/$db_table" \
--tuples-only \
--no-align \
-E 'UTF-8' \
--command="\
SELECT mtime
FROM oc_storages JOIN oc_filecache ON oc_storages.numeric_id = oc_filecache.storage \
WHERE oc_storages.id='home::$username' AND oc_filecache.path=\$\$${relative_filepath_without_username}\$\$"
)This relies on Dollar-Quoted Strings constants: https://www.postgresql.org/docs/current/sql-syntax-lexical.html#SQL-SYNTAX-CONSTANTS |
Signed-off-by: Matthieu Gallien <[email protected]>
mgallien
force-pushed
the
handleSpecialCharacters
branch
from
8cdbb08 to
a0b4c5a
Compare
thanks @X-dark (by the way one of my former colleague is sharing your full name, how funny !) |
+ Fix trailing line return in base64 encoding Signed-off-by: Louis Chemineau <[email protected]>
|
Adapted the solution for pgsql, and fixed a problem with trailing line return added in the encoded value. Tested with filename containing |
Signed-off-by: Matthieu Gallien [email protected]