[Pdns-users] PDNS + MySQL results not un-escaped?

Fri Jan 8 14:06:12 UTC 2010

I think your confusing escaping. Escaping in mysql isn't stored in the  
database, it's only to pass it though to the server. The mysql server  
removed the escaping, before it stored it, so when you read it, it's  
clean and ready to be used.

This causes issues as to what needs to be escaped, cause if you escape  
everything, mysql won't remove it from everything, and some will be  
left behind, like with your ;

This is what mysql_real_escape_string is for. I will ask the server  
what needs to be escaped, based on the current charset selected and  
encoded being used, and escape those.

Quoting Rudolph Bott <rb at knurps.org>:

> Hi List,
>
> maybe there's a misunderstanding here on my side but
> mysql_real_escape_string() still adds backslashes to some special chars
> (like ' or " and \), doesnt it? That would probably not affect the case of
> escaping a semicolon like stated below.
> But what happens if theres a TXT record contaning ', " or \? PowerDNS
> would still retrieve those strings as they are and deliver the record
> including the escape-backslashes. Does anyone know how other database
> backends for powerdns or other nameservers with DB backends handle this
> scenario?
>
> On Wed, 06 Jan 2010 13:27:31 -0500, Patrick Domack
> <patrickdk at patrickdk.com> wrote:
>> Most people have solved this issue awhile ago, but some people never
>> upgrade or review documentation, so here is the things I would check.
>>
>> Sounds like this is php, so:
>> Make sure magic_quotes_gpc is not on in php.ini, or by other means
>> Make sure the php program isn't using add_slashes
>> If it is using add_slashes, replace with mysql_real_escape_string
>>
>>
>> Quoting Michael <pdns at nettrust.co.nz>:
>>
>>> On Wed, 06 Jan 2010 21:56:08 you wrote:
>>>> Hi Michael
>>>>
>>>> > When I enter a DKIM or Domain Keys record, which requires use of
> ';',
>>>> > the
>>>> > records on the secondary name server have this character escaped
> with
>>>> > '\', as to be expected.
>>>> >
>>>> > As this character has a special meaning in MySQL I would think the
>>>> > simple
>>>> > answer would be to unescape it prior to returning the RR.
>>>>
>>>> This is a common misunderstanding of web developers that escaping in
>>>> MySQL
>>>> is done by adding backslashes. Instead, escaping is done by calling
>>>> mysql_real_escape(), which prepares the string to be save when storing
>>>> it
>>>> to the database but when fetching the string again, it will be the
> same
>>>> as
>>>> before calling mysql_real_escape(). Therefore, if a web application
> adds
>>>> backslashes it corrupts the record and this has to be considered as
> bug
>>>> of
>>>> the web application.
>>>
>>> Ok, so is there any downside to adding an unescape to the code and
> could
>>> this
>>> be done by the programmers?
>>>
>>> I didn't write the web based SQL admin... I use the proper MySQL
>>> function in
>>> my own code, but I am not rewriting the web based admin...
>>>
>>>
>>> _______________________________________________
>>> Pdns-users mailing list
>>> Pdns-users at mailman.powerdns.com
>>> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>>>
>>
>>
>>
>> _______________________________________________
>> Pdns-users mailing list
>> Pdns-users at mailman.powerdns.com
>> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
> --
> Mit freundlichen Grüßen / with kind regards
>   Rudolph Bott
>