Re: [courier-users] authmysql vs apostrophe [PATCH]

This is a MIME GnuPG-signed message. If you see this text, it means that
your E-mail or Usenet software does not support MIME signed messages.
The Internet standard for MIME PGP messages, RFC 2015, was published in 1996.
To open this message correctly you will need to install E-mail or Usenet
software that supports modern Internet standards.

--===============0844332572==
Content-Type: multipart/signed;
boundary="=_mimegpg-commodore.email-scan.com-12233-1209908088-0001";
micalg=pgp-sha1; protocol="application/pgp-signature"

This is a MIME GnuPG-signed message. If you see this text, it means that
your E-mail or Usenet software does not support MIME signed messages.
The Internet standard for MIME PGP messages, RFC 2015, was published in 1996.
To open this message correctly you will need to install E-mail or Usenet
software that supports modern Internet standards.

--=_mimegpg-commodore.email-scan.com-12233-1209908088-0001
Content-Type: text/plain; format=flowed; charset="US-ASCII"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Alessandro Vesely writes:

> Sam Varshavchik wrote:
>> Alessandro Vesely writes:
>>
>>>
>>> * use mysql escape function also in a number of other places; the
>>> MySQL team took years to get it straight...
>>
>> Well, I don't think they got it right. There's no bounds checking in
>> mysql_real_escape_string! The documentation claims you just need to
>> provide enough room at least twice as long as the string length, but
>> then there are also some vague comments regarding the interaction of
>> this function with the locale's character set, which leaves me with a
>> somewhat uneasy feeling.
>
> Since they require 2*length+1, I assume they check that bound. I don't
> know the details of the implementation, but doubling seems quite
> enough. Even if mysql_real_escape_string() cannot fail, its output
> will eventually be parsed using some other function which is
> supposedly aware about what the former might have done.

I looked at MySQL's source. Their code assumes that the buffer passed to
mysql_real_escape_string is sized twice the size of the input buffer, plus
one byte, and the code checks for overflow. Still, the original patch looks
to be too complicated than it needs to be, so I'll need to do this myself.


--=_mimegpg-commodore.email-scan.com-12233-1209908088-0001
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQBIHbt4x9p3GYHlUOIRAi7eAJ4zbrLGgaHNt5wGjqc7WZ tCDNW+MACfTiQw
Xp7QRD7VHjUjfE3B0Qg9skc=
=swjc
-----END PGP SIGNATURE-----

--=_mimegpg-commodore.email-scan.com-12233-1209908088-0001--


--===============0844332572==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757...un.com/javaone
--===============0844332572==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/.../courier-users

--===============0844332572==--