[prev in list] [next in list] [prev in thread] [next in thread]
List: freetds
Subject: Re: [freetds] Mangled SQL due to mis-tracking of quotes and ODBC escapes
From: Frediano Ziglio <freddy77 () gmail ! com>
Date: 2014-08-10 11:57:18
Message-ID: CAHt6W4cse-aGGioZVo6FM1_-5mdNWYF84J-x2t=3G_iv=M=ZNg () mail ! gmail ! com
[Download RAW message or body]
Backport patch in 0.91 branch.
Frediano
Frediano
2014-08-07 19:58 GMT+01:00 Richard Hughes <cyreve@gmail.com>:
> Hi there,
>
> I wrote a stored procedure using some of SQL Server's XML functions
> and discovered that, upon trying to run the create proc statement
> through a FreeTDS/unixodbc connection, the content was getting mangled
> and hence rejected.
>
> Here's a reduced test case in Python:
>
> import pyodbc
> db =
> pyodbc.connect('DRIVER={FreeTDS};SERVER=198.51.100.1;PORT=1433;DATABASE=master;UID=sa;PWD=password;QuotedID=Yes;AnsiNPW=Yes',
> autocommit=True)
> cur = db.cursor()
> cur.execute('''
> set quoted_identifier on
> set ansi_warnings on
> set ansi_padding on
> set ansi_nulls on
> set concat_null_yields_null on
> -- This doesn't work
> declare @x xml = '';
> declare @d datetime;
> set @x.modify('insert attribute d {sql:variable("@d")} into (/e)[1]');
> ''')
>
> It looks like src/odbc/native.c:to_native() is not caring about the
> comment "--" so is losing track of whether we're in a string or not.
> It then concludes that {sql:variable("@d")} is an ODBC escape and
> transforms it into just :variable("@d"), which SQL Server rejects.
> This means that you can make the above test case work by simply
> removing the comment (or, indeed, adding another quote to it).
>
> Is this right?
>
> Richard.
>
> _______________________________________________
> FreeTDS mailing list
> FreeTDS@lists.ibiblio.org
> http://lists.ibiblio.org/mailman/listinfo/freetds
>
_______________________________________________
FreeTDS mailing list
FreeTDS@lists.ibiblio.org
http://lists.ibiblio.org/mailman/listinfo/freetds
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic