[Pdns-users] PDNS + MySQL results not un-escaped?

Rudolph Bott rb at knurps.org
Fri Jan 8 12:47:30 UTC 2010


Hi List,

maybe there's a misunderstanding here on my side but
mysql_real_escape_string() still adds backslashes to some special chars
(like ' or " and \), doesnt it? That would probably not affect the case of
escaping a semicolon like stated below.
But what happens if theres a TXT record contaning ', " or \? PowerDNS
would still retrieve those strings as they are and deliver the record
including the escape-backslashes. Does anyone know how other database
backends for powerdns or other nameservers with DB backends handle this
scenario?

On Wed, 06 Jan 2010 13:27:31 -0500, Patrick Domack
<patrickdk at patrickdk.com> wrote:
> Most people have solved this issue awhile ago, but some people never  
> upgrade or review documentation, so here is the things I would check.
> 
> Sounds like this is php, so:
> Make sure magic_quotes_gpc is not on in php.ini, or by other means
> Make sure the php program isn't using add_slashes
> If it is using add_slashes, replace with mysql_real_escape_string
> 
> 
> Quoting Michael <pdns at nettrust.co.nz>:
> 
>> On Wed, 06 Jan 2010 21:56:08 you wrote:
>>> Hi Michael
>>>
>>> > When I enter a DKIM or Domain Keys record, which requires use of
';',
>>> > the
>>> > records on the secondary name server have this character escaped
with
>>> > '\', as to be expected.
>>> >
>>> > As this character has a special meaning in MySQL I would think the
>>> > simple
>>> > answer would be to unescape it prior to returning the RR.
>>>
>>> This is a common misunderstanding of web developers that escaping in
>>> MySQL
>>> is done by adding backslashes. Instead, escaping is done by calling
>>> mysql_real_escape(), which prepares the string to be save when storing
>>> it
>>> to the database but when fetching the string again, it will be the
same
>>> as
>>> before calling mysql_real_escape(). Therefore, if a web application
adds
>>> backslashes it corrupts the record and this has to be considered as
bug
>>> of
>>> the web application.
>>
>> Ok, so is there any downside to adding an unescape to the code and
could
>> this
>> be done by the programmers?
>>
>> I didn't write the web based SQL admin... I use the proper MySQL
>> function in
>> my own code, but I am not rewriting the web based admin...
>>
>>
>> _______________________________________________
>> Pdns-users mailing list
>> Pdns-users at mailman.powerdns.com
>> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>>
> 
> 
> 
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users

-- 
Mit freundlichen GrÌßen / with kind regards
  Rudolph Bott



More information about the Pdns-users mailing list