Opened 12 years ago
Closed 9 years ago
#11007 closed defect (fixed)
database bugs: wrong table name and failure to escape single quotes
Reported by: | Owned by: | Ryan J Ollos | |
---|---|---|---|
Priority: | normal | Component: | DirectoryAuthPlugin |
Severity: | normal | Keywords: | |
Cc: | Trac Release: | 1.0 |
Description
I just installed your plugin using easy_install from the trunk and I got warnings about non-existant table 'ad_cache' because it has been changed to 'dir_cache'. Also, you aren't using prepared statements for your SQL commands and therefore you have not escaped necessary characters such as single quote. Since this is an AD plugin and names (like mine) can have apostrophes, it needs a fix. Otherwise, very nice plugin.
I attached a patch where I fixed these things quick and dirty in my environment.
Attachments (3)
Change History (18)
Changed 12 years ago by
Attachment: | database_bugs.diff added |
---|
comment:1 Changed 12 years ago by
Looks good! If I may recommend some Trac Fu here ... I think that string formatting should not be used for preparing the SQL statement. See t:TracDev/DatabaseApi#Parameterpassing for details.
cur.execute("INSERT OR REPLACE INTO session_attribute (sid, authenticated, name, value) VALUES ('%s', 1, 'name', '%s')" % (uname, to_unicode(displayname.replace("'","''"))))
->
cur.execute(""" INSERT OR REPLACE INTO session_attribute (sid, authenticated, name, value) VALUES ('%s', 1, 'name', '%s') """, (uname, to_unicode(displayname)))
That change is untested since I have no access to or any experience with Active Directory. I think you probably don't need single quotes around the two format parameters (%s
).
Could you try improving your patch in that way? The other part of your patch definitely needs to be applied since the plugin appears to be totally broken. If sandinak is not available, I'll apply the patch provided we can properly fix that SQL statement.
comment:2 follow-up: 4 Changed 12 years ago by
I realized this is actually two bugs but it was late and I was too lazy to open two tickets. I figured Trac had a better way to do the SQL statements besides string formatting. Unfortunately, the plugin is riddled with them. I'll fix the one in question but maybe we can fork off a task to go back and fix the rest at a later date. I made your suggested changes and tested it. It's working for me. Also, I'm not sure if you want to include it but I'm a big fan of bumping the version number for every little change in something like a plugin so that's still included in the patch. Thanks!
comment:3 Changed 12 years ago by
Owner: | changed from branson to Ryan J Ollos |
---|---|
Status: | new → assigned |
Great, thanks for revising the patch. I will commit it this evening or tomorrow morning, and if you would kindly test the latest trunk just to make sure it's working correctly after the commit, I would appreciate it.
If you decide to fix the other SQL issues now or later on, I'd be happy to continue helping by reviewing and pushing the changes.
comment:4 Changed 12 years ago by
Replying to kyle.james.oconnor@gmail.com:
[...] Also, I'm not sure if you want to include it but I'm a big fan of bumping the version number for every little change in something like a plugin so that's still included in the patch.
I'll make sure to bump the version number as well.
comment:5 Changed 12 years ago by
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
comment:7 Changed 12 years ago by
The file had a combination of 4-space and 2-space indentation, which I attempted to fix in [12962]. This definitely needs a bit of testing. Please report back if you can. Thanks!
comment:8 follow-up: 10 Changed 12 years ago by
Looks good, but I found a orphaned quote causing problems. See 11007.129632.fix.diff (attached)
Changed 12 years ago by
Attachment: | 11007.12962.fix.diff added |
---|
comment:9 Changed 12 years ago by
comment:10 Changed 12 years ago by
Replying to kyle.james.oconnor@gmail.com:
Looks good, but I found a orphaned quote causing problems. See 11007.129632.fix.diff (attached)
Thanks for testing and reporting that. I knew that I wouldn't be lucky enough to change so many lines without testing and leaving at least one error!
comment:11 Changed 12 years ago by
Resolution: | fixed |
---|---|
Status: | closed → reopened |
comment:12 Changed 12 years ago by
Owner: | changed from Ryan J Ollos to branson |
---|---|
Status: | reopened → new |
comment:13 Changed 11 years ago by
ad_cache
table name used in queries replaced by dir_cache
again in #11495.
comment:14 Changed 9 years ago by
Owner: | changed from branson to Ryan J Ollos |
---|---|
Status: | new → accepted |
comment:15 Changed 9 years ago by
Resolution: | → fixed |
---|---|
Status: | accepted → closed |
q&d patch to fix my reported issues