ngx.quote_sql_str may not handle \0

siddontang · 2013-09-06T12:36:15+00:00

Hello! On Fri, Sep 6, 2013 at 4:00 AM, shubham srivastava wrote: > Thanks Agentzh, > Please don't capitalize my nick. Thank you. > This worked li...

ngx.quote_sql_str may not handle \0

siddontang

Hi:

I use string.format and ngx.quote_sql_str to construct a sql, but I found that quote_sql_str may not handle \0 like this:

print(string.format(ngx.quote_sql_str("abc\0abc")))

the output is 'abc and \0abc' is truncated.

I notice that http://dev.mysql.com/doc/refman/5.0/en/string-literals.html say \0 will be escaped.

My openresty version is 1.2.7.8.

Thank you!

agentzh

Hello!

On Thu, Sep 5, 2013 at 9:36 PM, Siddon Tang wrote:
> I use string.format and ngx.quote_sql_str to construct a sql, but I found
> that quote_sql_str may not handle \0 like this:
>
>     print(string.format(ngx.quote_sql_str("abc\0abc")))
>
> the output is 'abc and \0abc' is truncated.
>
> I notice that http://dev.mysql.com/doc/refman/5.0/en/string-literals.html
> say \0 will be escaped.
>

Thank you for the catch!

Just committed a patch to ngx_lua's git master to fix this issue:

    https://github.com/chaoslawful/lua-nginx-module/commit/6e4b574

Best regards,
-agentzh