[CONJ-545] MariaDB JDBC driver prepared statement string escaping problems with CONNECT Created: 2017-11-04  Updated: 2017-11-21  Resolved: 2017-11-21

Status: Closed
Project: MariaDB Connector/J
Component/s: JDBC 4.2 compatibility
Affects Version/s: 1.6.3
Fix Version/s: N/A

Type: Bug Priority: Minor
Reporter: Robert Dyas Assignee: Diego Dupin
Resolution: Not a Bug Votes: 0
Labels: None
Environment:

Centos7


 Description   

See MDEV-13925 for details.

It appears when using prepared statements and binding a string that contains special characters such as single quote (') or double quote (") and possibly others, the JDBC driver escapes with a \' or \".

While this is apparently valid syntax for MariaDB, when passed to a CONNECT table it is often incompatible with the remote server (Microsoft, Postgres).

Is there any reason not to just place the string in single quotes and escape single quotes the ANSI way (doubling up on single quotes) and not escaping any other characters?



 Comments   
Comment by Diego Dupin [ 2017-11-06 ]

There is 2 different prepared statement in Mariadb jdbc driver :

  • client implementation
  • server implementation

Server implementation on Connection.prepareStatement(<query>) will send a PREPARE command to server,
prepareStatement.execute() will send parameters to server and execute command.

Client implementation is different : driver will parse query and replace "?" parameters with escaped parameters.
Example :
query "Insert into table1 value ".
parameter is "Bob's".

There is 2 different escapes according to server NO_BACKSLASH_ESCAPES (https://mariadb.com/kb/en/library/sql-mode/ ).
if NO_BACKSLASH_ESCAPES is set, quote will be escaped by quote. if not set, escape character is BACKSLASH.

So depending on SQL_MODE values :
if NO_BACKSLASH_ESCAPES is set: "Insert into table1 value ('Bob''s')"
if NO_BACKSLASH_ESCAPES is NOT set : "Insert into table1 value ('Bob\'s')"

By default NO_BACKSLASH_ESCAPES is not set, so escape will use BACKSLASH, then beeing compatible with other DBMS.

this SQL_MODE can be set on connectionString. Example :
"jdbc:mariadb://host/db?user=xxx&sessionVariables=sql_mode=NO_BACKSLASH_ESCAPES"

Generated at Thu Feb 08 03:16:33 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.