[Pdns-users] PDNS + MySQL results not un-escaped?

[Norbert Sendetzky]

Hi Rudolph

> maybe there's a misunderstanding here on my side but
> mysql_real_escape_string() still adds backslashes to some special chars
> (like ' or " and \), doesnt it? That would probably not affect the case of
> escaping a semicolon like stated below.

Yes, it does but that's a MySQL specific behaviour and all other databases 
don't do this. SQL ANSI escaping only duplicates single quotes.

Example: mysql_real_escape( \ ; ' " ) -> \\ ; \' \"

Nevertheless, no backslashes are added to semicolons.

> But what happens if theres a TXT record contaning ', " or \? PowerDNS
> would still retrieve those strings as they are and deliver the record
> including the escape-backslashes.

I've done a short test what happens. The result is that we get the original 
string back:

\ ; ' "

So there will be no problem when using mysql_real_escape().

> Does anyone know how other database
> backends for powerdns or other nameservers with DB backends handle this
> scenario?

The PowerDNS opendbx backend uses the odbx_escape() function from the OpenDBX 
library which uses the escape functions of the client database libraries or if 
there's no client escape function available provides it's own one which does 
ANSI escaping (duplicating single quotes). The other database backends use the 
native escape functions as I remember correctly.

I think that we are save from the PowerDNS and the database side but if a 
management applications inserts corrupted records, the problem must be fixed 
in these applications.


Norbert
-- 
OpenPGP public key
http://www.linuxnetworks.de/norbert.pubkey.asc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20100108/d2ba4477/attachment-0001.sig>