Ruby on Rails | Screencasts | Download | Documentation | Weblog | Community | Source

Ticket #4593 (closed defect: fixed)

Opened 3 years ago

Last modified 1 year ago

[XPATCH] SQL query not escaping table names

Reported by: webdz9r@gmail.com Assigned to: bitsweat
Priority: high Milestone: 1.2.5
Component: ActiveRecord Version: edge
Severity: major Keywords: escaping sql
Cc: eallik, eadz

Description (Last modified by bitsweat)

Just upgraded to Rails 1.1 and I was working out the bugs and came acrossed this nasty little hickup 

Mysql::Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'fields.* FROM fields  INNER JOIN form_field_assignments ON fields.id = form_fiel' at line 1: SELECT fields.* FROM fields  INNER JOIN form_field_assignments ON fields.id = form_field_assignments.field_id   WHERE (form_field_assignments.form_id = 2)  ORDER BY display_order 
/usr/lib/ruby/gems/1.8/gems/activerecord-1.14.0/lib/active_record/connection_adapters/abstract_adapter.rb:120:in `log'
/usr/lib/ruby/gems/1.8/gems/activerecord-1.14.0/lib/active_record/connection_adapters/mysql_adapter.rb:185:in `execute'
/usr/lib/ruby/gems/1.8/gems/activerecord-1.14.0/lib/active_record/connection_adapters/mysql_adapter.rb:337:in `select'
/usr/lib/ruby/gems/1.8/gems/activerecord-1.14.0/lib/active_record/connection_adapters/mysql_adapter.rb:176:in `select_all'
/usr/lib/ruby/gems/1.8/gems/activerecord-1.14.0/lib/active_record/base.rb:390:in `find_by_sql'
/usr/lib/ruby/gems/1.8/gems/activerecord-1.14.0/lib/active_record/base.rb:924:in `find_every'
/usr/lib/ruby/gems/1.8/gems/activerecord-1.14.0/lib/active_record/base.rb:381:in `find'
/usr/lib/ruby/gems/1.8/gems/activerecord-1.14.0/lib/active_record/associations/has_many_through_association.rb:54:in `find_target'
/usr/lib/ruby/gems/1.8/gems/activerecord-1.14.0/lib/active_record/associations/association_proxy.rb:116:in `load_target'
/usr/lib/ruby/gems/1.8/gems/activerecord-1.14.0/lib/active_record/associations/association_proxy.rb:16:in `respond_to?'
/usr/lib/ruby/1.8/pstore.rb:348:in `dump'
/usr/lib/ruby/1.8/pstore.rb:326:in `transaction'
/usr/lib/ruby/1.8/cgi/session/pstore.rb:90:in `update'
/usr/lib/ruby/1.8/cgi/session/pstore.rb:97:in `close'
/usr/lib/ruby/1.8/cgi/session.rb:330:in `close'
/usr/lib/ruby/gems/1.8/gems/actionpack-1.12.0/lib/action_controller/base.rb:982:in `close_session'
/usr/lib/ruby/gems/1.8/gems/actionpack-1.12.0/lib/action_controller/base.rb:1024:in `process_cleanup_without_flash'
/usr/lib/ruby/gems/1.8/gems/actionpack-1.12.0/lib/action_controller/flash.rb:147:in `process_cleanup_without_filters'
/usr/lib/ruby/gems/1.8/gems/actionpack-1.12.0/lib/action_controller/filters.rb:426:in `process_cleanup_without_session_management_support'
/usr/lib/ruby/gems/1.8/gems/actionpack-1.12.0/lib/action_controller/session_management.rb:126:in `process_cleanup_without_components'
/usr/lib/ruby/gems/1.8/gems/actionpack-1.12.0/lib/action_controller/components.rb:182:in `process_cleanup'
/usr/lib/ruby/gems/1.8/gems/actionpack-1.12.0/lib/action_controller/base.rb:383:in `process_without_filters'
/usr/lib/ruby/gems/1.8/gems/actionpack-1.12.0/lib/action_controller/filters.rb:364:in `process_without_session_management_support'
/usr/lib/ruby/gems/1.8/gems/actionpack-1.12.0/lib/action_controller/session_management.rb:117:in `process'
/usr/lib/ruby/gems/1.8/gems/rails-1.1.0/lib/dispatcher.rb:38:in `dispatch'
/usr/lib/ruby/gems/1.8/gems/rails-1.1.0/lib/fcgi_handler.rb:150:in `process_request'
/usr/lib/ruby/gems/1.8/gems/rails-1.1.0/lib/fcgi_handler.rb:54:in `process!'
/usr/lib/site_ruby/1.8/fcgi.rb:600:in `each_cgi'
/usr/lib/site_ruby/1.8/fcgi.rb:597:in `each_cgi'
/usr/lib/ruby/gems/1.8/gems/rails-1.1.0/lib/fcgi_handler.rb:53:in `process!'
/usr/lib/ruby/gems/1.8/gems/rails-1.1.0/lib/fcgi_handler.rb:23:in `process!'
/web/gobloxs.com/form_builder/public/dispatch.fcgi:24

Attachments

table-name-escaping-patch-v1[4593].diff (11.8 kB) - added by Dmitry V. Sabanin <dmitry@sabanin.ru> on 04/18/06 13:59:50.
Patch to fix table names escaping issues
table-name-escaping-patch-v2.diff (14.0 kB) - added by eadz on 06/17/07 05:28:38.
table_name_escaping_patch_v3.diff (19.0 kB) - added by gwcoffey on 09/28/07 04:54:38.
patched fixtures, some missed cases, added more test cases
table_name_escaping_patch_v4.diff (20.0 kB) - added by JustinLynn on 10/15/07 19:26:32.
Updated to apply to root of trunk, dried up some repeated sql in the test, fixed double quoting issue in columns
table_name_escaping_patch_v5.diff (19.9 kB) - added by JustinLynn on 10/16/07 02:40:13.
moved double quote checking code from mysql_adapter.rb columns method to quote_table_name method; a litter easier to see what it's doing
table_quoting_patch.diff (1.2 kB) - added by wesley.moxam on 10/31/07 00:14:22.
Patches the calculations table. Looks like it got missed with the last patch.
reserved_words_test_mysql.diff (487 bytes) - added by wesley.moxam on 10/31/07 16:48:03.
Tests to ensure that AR associations are working with reserved words
associations.diff (11.5 kB) - added by wesley.moxam on 11/07/07 15:17:22.

Change History

04/06/06 01:26:44 changed by anonymous

  • version set to 1.1.0.
  • milestone set to 1.2.

Setting version to 1.1.0 since the error message indicates ActiveRecord 1.14.0

(follow-up: ↓ 6 ) 04/18/06 13:58:46 changed by Dmitry V. Sabanin <dmitry@sabanin.ru>

  • owner changed from David to anonymous.
  • status changed from new to assigned.

Here's my patch to fix this. I've tried to follow test-driven patching as far as I could. Patch includes complete fix with unit tests proving it. Although, tests are ignored on any database other than MySQL, because I'm not aware about table name escaping rules for other databases. In two words, this patch just adds quote_table_name() method to MysqlAdapter and adds a simple accessor AR::Base.quoted_table_name() (just a wrapper around AR::Base.table_name()). I've gone step by step through Base, replacing table_name() with quoted_table_name() where it made sense. Pretty simple. Also dumb quote_table_name() method was added to ConnectionAdapters::Quoting module, to make sure all databases without specific table name quoting rules act as they did before.

04/18/06 13:59:50 changed by Dmitry V. Sabanin <dmitry@sabanin.ru>

  • attachment table-name-escaping-patch-v1[4593].diff added.

Patch to fix table names escaping issues

04/18/06 14:02:56 changed by anonymous

  • owner changed from anonymous to dmitry@sabanin.ru.
  • status changed from assigned to new.

06/20/06 18:32:21 changed by bitsweat

  • description changed.

08/09/06 11:52:41 changed by anonymous

  • summary changed from SQL query not escaping table names to [PATCH] SQL query not escaping table names.

(in reply to: ↑ 2 ) 12/27/06 07:40:02 changed by doconnor

Replying to Dmitry V. Sabanin <dmitry@sabanin.ru>:

Here's my patch to fix this.

Can you check this patch against trunk? I get unresolved conflicts when trying to apply it.

Is there anyone who can do review on this patch?

02/26/07 21:44:47 changed by bitsweat

  • owner changed from dmitry@sabanin.ru to bitsweat.

Please update the patch for application to trunk.

06/06/07 11:14:25 changed by mislav

  • cc set to eallik.
  • version changed from 1.1.0 to edge.
  • severity changed from critical to major.
  • milestone deleted.

eallik, could you update this patch?

Why does quote_table_name duplicate the functionality of quote_column_name? Couldn't it be one function, or is it better to be two because other db systems may quote columns and table names different?

06/17/07 05:28:38 changed by eadz

  • attachment table-name-escaping-patch-v2.diff added.

06/17/07 05:29:50 changed by eadz

  • cc changed from eallik to eallik, eadz.

I modified the patch to apply cleanly to edge rails, tests all pass.

06/17/07 05:33:46 changed by eadz

Although I have not reviewed the patch, assuming that the initial tests for this patch were sufficient.

09/17/07 16:04:23 changed by elia

  • milestone set to 1.2.4.

(in reply to: ↑ description ; follow-up: ↓ 13 ) 09/22/07 18:55:29 changed by gwcoffey

I just found this patch after writing it myself on #4905, which is a duplicate of this ticket. There are a couple of differences:

1: You put the quote_table_name method in the right place, while I did not. Whoops...

2: My patch fixes Fixtures, while yours does not. This is, in my mind, the most important fix.

Any way to sneak my changes into this patch so they can get committed together? I can produce a single revised patch if it is helpful.

Geoff

(in reply to: ↑ 12 ) 09/22/07 19:02:14 changed by mislav

Replying to gwcoffey:

Any way to sneak my changes into this patch so they can get committed together? I can produce a single revised patch if it is helpful.

Sure, go ahead; this goes without saying. When you update the patch here, close your own ticket as duplicate.

09/28/07 04:54:38 changed by gwcoffey

  • attachment table_name_escaping_patch_v3.diff added.

patched fixtures, some missed cases, added more test cases

09/28/07 12:22:37 changed by danielmorrison

+1

This is a long overdue patch. Thanks for your work!

10/15/07 09:15:04 changed by bitsweat

  • status changed from new to closed.
  • resolution set to incomplete.

This looks good to me. +1. Please update for trunk.

10/15/07 18:44:04 changed by JustinLynn

I spent part of this morning updating patch to apply to trunk but it currently causes some other migration related tests to fail. I'm working on fixing that now.

10/15/07 19:07:54 changed by JustinLynn

Looks like there is a double quoting issue introduced in the column method of the mysql_adapter in relation to the change_column method. patch should be ready soon.

10/15/07 19:26:32 changed by JustinLynn

  • attachment table_name_escaping_patch_v4.diff added.

Updated to apply to root of trunk, dried up some repeated sql in the test, fixed double quoting issue in columns

10/15/07 19:30:21 changed by JustinLynn

In v4 of the patch I added a regex statement to solve the double quoting issue in the columns method of the mysql adapter. All mysql unit tests pass on my system, could someone verify that this patch breaks nothing else?

10/15/07 19:36:27 changed by JustinLynn

  • status changed from closed to reopened.
  • resolution deleted.

10/16/07 02:40:13 changed by JustinLynn

  • attachment table_name_escaping_patch_v5.diff added.

moved double quote checking code from mysql_adapter.rb columns method to quote_table_name method; a litter easier to see what it's doing

10/16/07 02:45:36 changed by JustinLynn

I submitted a new patch that moves the double quote checking code from the columns method to a more logical place. heh, who'd've thought it should've been in the quote_table_name method.

10/16/07 02:46:39 changed by JustinLynn

  • keywords changed from escaping sql to escaping sql verified.

I think I can give it a +1 now.

10/16/07 05:06:37 changed by bitsweat

  • status changed from reopened to closed.
  • resolution set to fixed.

(In [7932]) Quote table names. Defaults to column quoting. Closes #4593.

10/31/07 00:13:03 changed by wesley.moxam

  • status changed from closed to reopened.
  • resolution deleted.

Table names are not being quoted. I noticed it breaking when using a table named 'keys' under mysql.

10/31/07 00:14:22 changed by wesley.moxam

  • attachment table_quoting_patch.diff added.

Patches the calculations table. Looks like it got missed with the last patch.

10/31/07 05:58:12 changed by nzkoz

  • status changed from reopened to closed.
  • resolution set to fixed.

(In [8061]) Escape table names during calculation queries. [wesley.moxam, Koz] Closes #4593

10/31/07 15:45:55 changed by wesley.moxam

  • status changed from closed to reopened.
  • resolution deleted.

10/31/07 16:03:47 changed by wesley.moxam

Table names are not being quoted in associations. Breaks mysql support.

ex: Foo.find(:all, :include => [:keys])

10/31/07 16:48:03 changed by wesley.moxam

  • attachment reserved_words_test_mysql.diff added.

Tests to ensure that AR associations are working with reserved words

11/07/07 15:17:22 changed by wesley.moxam

  • attachment associations.diff added.

11/07/07 23:00:28 changed by nzkoz

  • keywords changed from escaping sql verified to escaping sql.
  • status changed from reopened to closed.
  • resolution set to fixed.
  • summary changed from [PATCH] SQL query not escaping table names to [XPATCH] SQL query not escaping table names.

The newly attached patch doesn't have any tests, and this ticket is getting a little long in the tooth.

Could you add some tests then create a new ticket please, feel free to assign it straight to me.

11/07/07 23:13:47 changed by wesley.moxam

I did add a test for the reserved words that does test this patch (since all of the tests were passing in it's broken state)

See reserved_words_test_mysql.diff

11/07/07 23:15:02 changed by wesley.moxam

Also, if that test is not enough, what else is needed?

11/07/07 23:42:10 changed by nzkoz

Sorry I missed that :/ . Typically I'd prefer one patch with tests and implementation.

This looks fine to go in, but anything new should get its own ticket, this one's getting hard to follow ;)

11/07/07 23:48:06 changed by nzkoz 

  1) Failure:
test_construct_finder_sql_applies_association_conditions(InnerJoinAssociationTest)
    [./test/associations/inner_join_association_test.rb:29:in `test_construct_finder_sql_applies_association_conditions'
     /Library/Ruby/Gems/1.8/gems/mocha-0.5.5/lib/mocha/test_case_adapter.rb:19:in `__send__'
     /Library/Ruby/Gems/1.8/gems/mocha-0.5.5/lib/mocha/test_case_adapter.rb:19:in `run']:
<"SELECT `authors`.* FROM `authors`   INNER JOIN `categorizations` ON (`authors`.`id` = `categorizations`.`author_id`)  INNER JOIN `categories` ON (`categories`.`id` = `categorizations`.`category_id`) AND `categories`.`name` = 'General'  WHERE (TERMINATING_MARKER) "> expected to be =~
</INNER JOIN categories ON.*AND.*'General'.*TERMINATING_MARKER/>.

  2) Failure:
test_construct_finder_sql_cascades_inner_joins(InnerJoinAssociationTest)
    [./test/associations/inner_join_association_test.rb:18:in `test_construct_finder_sql_cascades_inner_joins'
     /Library/Ruby/Gems/1.8/gems/mocha-0.5.5/lib/mocha/test_case_adapter.rb:19:in `__send__'
     /Library/Ruby/Gems/1.8/gems/mocha-0.5.5/lib/mocha/test_case_adapter.rb:19:in `run']:
<"SELECT `authors`.* FROM `authors`   INNER JOIN `posts` ON `posts`.author_id = `authors`.id  INNER JOIN `comments` ON `comments`.post_id = `posts`.id  "> expected to be =~
</INNER JOIN posts ON posts.author_id = authors.id/>.

  3) Failure:
test_construct_finder_sql_creates_inner_joins(InnerJoinAssociationTest)
    [./test/associations/inner_join_association_test.rb:13:in `test_construct_finder_sql_creates_inner_joins'
     /Library/Ruby/Gems/1.8/gems/mocha-0.5.5/lib/mocha/test_case_adapter.rb:19:in `__send__'
     /Library/Ruby/Gems/1.8/gems/mocha-0.5.5/lib/mocha/test_case_adapter.rb:19:in `run']:
<"SELECT `authors`.* FROM `authors`   INNER JOIN `posts` ON `posts`.author_id = `authors`.id  "> expected to be =~
</INNER JOIN posts ON posts.author_id = authors.id/>.

  4) Failure:
test_construct_finder_sql_inner_joins_through_associations(InnerJoinAssociationTest)
    [./test/associations/inner_join_association_test.rb:24:in `test_construct_finder_sql_inner_joins_through_associations'
     /Library/Ruby/Gems/1.8/gems/mocha-0.5.5/lib/mocha/test_case_adapter.rb:19:in `__send__'
     /Library/Ruby/Gems/1.8/gems/mocha-0.5.5/lib/mocha/test_case_adapter.rb:19:in `run']:
<"SELECT `authors`.* FROM `authors`   INNER JOIN `categorizations` ON (`authors`.`id` = `categorizations`.`author_id`)  INNER JOIN `posts` ON (`posts`.`id` = `categorizations`.`post_id`)  "> expected to be =~
</INNER JOIN categorizations.*INNER JOIN posts/>.

  5) Failure:
test_construct_finder_sql_unpacks_nested_joins(InnerJoinAssociationTest)
    [./test/associations/inner_join_association_test.rb:35:in `test_construct_finder_sql_unpacks_nested_joins'
     /Library/Ruby/Gems/1.8/gems/mocha-0.5.5/lib/mocha/test_case_adapter.rb:19:in `__send__'
     /Library/Ruby/Gems/1.8/gems/mocha-0.5.5/lib/mocha/test_case_adapter.rb:19:in `run']:
<"SELECT `authors`.* FROM `authors`   INNER JOIN `posts` ON `posts`.author_id = `authors`.id  INNER JOIN `comments` ON `comments`.post_id = `posts`.id  "> expected to be =~
</INNER JOIN posts ON posts.author_id = authors.id/>.

Except for those test failures when running rake test_mysql. Can you deal to those, create a new ticket and send it to me?

11/08/07 00:03:07 changed by wesley.moxam

I noticed that those popped up after [8109]

I'll revisit it tomorrow and get you a new ticket.