Placeholder interpolation

[arvenil]

@methane did awesome job in #297 and since I'm highly interested in this PR I wanted to test it. However #297 was out of sync with master ("This pull request contains merge conflicts that must be resolved.") so I merged changes from master.
Since I was already testing this. I've also:

• added some basic tests for escape functions (100% code coverage)
• exported escape functions (in case anyone would like to use them)
• added some basic sql injection tests (including sql_mode=NO_BACKSLASH_ESCAPES)
• referenced ported code to mysql source code (just in case if anyone like me;) would like to take a look if port is correct)

Feel free to merge this or throw away, I did this mostly to verify correctness.

One more time thanks for this @methane !

[methane]

Good job!

[arnehormann]

I'll hopefully get to review this soon.
Some remarks I already have from skimming it:

@arvenil add yourself to the AUTHORS file please.
@methane please close the other PR and reference this one if you are ok with arvenil taking over for you.

I will probably merge #311 first (it's pretty small), as this also hits const.go, you'll have to resync - sorry.

Can you change the tests so SELECT ... CAST is used instead of table writes? I don't know if that's applicable here, but I'd love to reduce the amount of disk IO during testing in the long run. See the DATE/TIME tests for example.

I don't like the Escape... functions, I prefer an externally controllable buffer and quotes embedded in the function.
Have a look at http://play.golang.org/p/ujxynUDVhE (extra points to you for a benchmark gist to compare speed & allocations).
I also think the EscapeQuoting tests are wrong. As a question: how would you be able to upload and retrieve a string foo\x00bar unchanged by the driver?

[methane]

I feel "interpolation" is better word than "substitution." But I'm not sure since I'm native English.

@arvenil May I write optimized version of escaping function?

[arvenil]

@methane Yes, I've added you to https://github.com/arvenil/mysql/tree/placeholder as collaborator so you could push to this PR but do whatever suits you better.

I will address other questions and issues later, when time allows.

[arvenil]

Hi @arnehormann

I also think the EscapeQuoting tests are wrong. As a question: how would you be able to upload and retrieve a string foo\x00bar unchanged by the driver?

For MySQL data is not changed, it is escaped. This is done exactly the same way how MySQL does it. Take a look at https://github.com/mysql/mysql-server/blob/mysql-5.7.5/mysys/charset.c#L823-L932 https://github.com/mysql/mysql-server/blob/mysql-5.7.5/mysys/charset.c#L963-L1038

To prove that data is not changed I've added TestInsertRetrieveEscapedData. You can see there that retrieved value equals inserted foo \x00\n\r\x1a\"'\\.

[arnehormann]

statusReserved // not in documentation please

[methane]

fixed

[arnehormann]

When the connection encoding is not utf8, the connection becomes vulnerable to SQL injection attacks.

Maybe I misread something, but how does this depend on utf8?

[methane]

If connection encoding is Shift-JIS, 95 5c 27 20 should be encoded into 95 5c 27 20 since 95 5c represents one multibyte char (表).
But escapeBytesBackslash and escapeStringBackslash encode it into 95 5c 5c 27 20 since 5c is \.
This is famous SQL injection vulnerability in Japan.

[julienschmidt]

Let me also do a final review later before merging.

[arnehormann]

@julienschmidt I intended to do so. This is huge...

[julienschmidt]

use just db.Query() / db.Exec() instead of sql.Db.Query() / sql.Db.Exec()

[julienschmidt]

If interpolateParams is true, placeholders (?) in calls to db.Query() and db.Exec() are interpolated into a single query string with the given parameters. This reduces the number of roundtrips, since the driver has to prepare a statement, execute it with the given parameters and close the statement again with interpolateParams=false.

[julienschmidt]

The exact same code from L819-L824 is used 4 times. Move it to a helper function. And rename n to newBuf. n is more or less reserved for numbers 😉

[julienschmidt]

And why pos+end by the way?

[methane]

did it.
pos+end = len(old)*2 + reserved size. len(buf)*2 is for exponential realloc.

[julienschmidt]

It might be better to use a blacklist instead. MySQL only supports 5 unsafe collations: big5, cp932, gb2312, gbk and sjis

[julienschmidt]

The blacklist would then be:
"big5_chinese_ci": 1,
"sjis_japanese_ci": 13,
"gbk_chinese_ci": 28,
"big5_bin": 84,
"gb2312_bin": 86,
"gbk_bin": 87,
"sjis_bin": 88,
"cp932_japanese_ci": 95,
"cp932_bin": 96,

You can also directly check the ID instead of the name then

[methane]

fixed.

[arnehormann]

@methane praise your patience and thank you for doing this... 😀

[julienschmidt]

LGTM... almost

[julienschmidt]

@arvenil please add yourself to the AUTHORS file

[julienschmidt]

Thank you!

[methane]

FYI, I've wrote blog post about optimizing this pull request.
http://methane.github.io/2015/02/reduce-allocation-in-go-code/