Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SQL escape special characters #5

Closed
dragonpil opened this issue Jun 20, 2023 · 2 comments
Closed

SQL escape special characters #5

dragonpil opened this issue Jun 20, 2023 · 2 comments

Comments

@dragonpil
Copy link

when filename contains special caracters like a ' they are not escaped and this leads to an sql error:

Fatal error: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'xxxxxxx.docx' AND ST.numeric_id = FC.storage AND FC.mimetype ...' at line 1 in /var/www/nextcloud-S3-local-S3-migration/localtos3.php:393
Stack trace:
#0 /var/www/nextcloud-S3-local-S3-migration/localtos3.php(393): mysqli->query('SELECT ST.`id...')
#1 {main}
thrown in /var/www/nextcloud-S3-local-S3-migration/localtos3.php on line 393
@dragonpil
Copy link
Author

This issue just appears when s3 is not empty. Bevor I used the script I tried to sync all files to s3 with aws s3 sync..., the script saves the data with ids and not with the filename and path. so no issue just my wrong usage ;)

@mrAceT
Copy link
Owner

mrAceT commented Jun 21, 2023

Thank you for fixing it yourself ;)

For future reference:

I am assuming the trouble was at this line:

nextcloud-S3-local-S3-migration/localtos3.php

Line 398 in 4ab29ef

" AND `FC`.`fileid` = '".substr($object['Key'],8)."'". # should be only one..

The objects (files) are read via 'S3list' here:

nextcloud-S3-local-S3-migration/localtos3.php

Line 364 in 4ab29ef

$objects = S3list($s3, $bucket);

That is loaded via an AWS-S3 function, the results are the "internal file names" used by Nextcloud (structure urn:oid:123) the last part is a number. If somehow (by accident) there are already files in the S3 bucket (especially with "odd characters") then the script will fail because the first mentioned line does not escape the content.

I just published version 0.36 with this to nicely catch this:

    if ( !preg_match('/^[0-9]+$/',substr($object['Key'],8)) ) {
      echo "\nFiles in the S3 bucket should be of structure 'urn:oid:[number]',".
           "\nThe bucket that Nextcloud uses may only contain files of this structure.".
           "\nFile '".$object['Key']."' does not conform to that structure!\n";
      die;
    }

@mrAceT mrAceT reopened this Jun 21, 2023
@mrAceT mrAceT closed this as completed Jun 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mrAceT @dragonpil