Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

*: using EscapeSQL to enhance SQL formatting in dumping & lightning #33951

Closed
wants to merge 1 commit into from
Closed

*: using EscapeSQL to enhance SQL formatting in dumping & lightning #33951

wants to merge 1 commit into from

Conversation

s3nt3
Copy link
Contributor

@s3nt3 s3nt3 commented Apr 14, 2022

What problem does this PR solve?

Issue Number: close #33950

Problem Summary:

Due to the lack of support for escape functions in the golang standard library (database/sql: missing escape functions #18478), formatting functions have to be used in dumplings and lightning to splicing fields such as schema, table name, column name, etc., which will bring security risks.

What is changed and how it works?

The TiDB kernel implements some utility functions to handle internal SQL calls in secure. We can use the tool function EscapeSQL implemented by the TiDB kernel to escape fields such as schema, table name or column name, to eliminate the hidden dangers of current SQL formatting.

Check List

Tests

  • Unit test
  • Integration test
  • Manual test (add detailed scripts or steps below)
  • No code

Side effects

  • Performance regression: Consumes more CPU
  • Performance regression: Consumes more Memory
  • Breaking backward compatibility

Documentation

  • Affects user behaviors
  • Contains syntax changes
  • Contains variable changes
  • Contains experimental features
  • Changes MySQL compatibility

Release note

Please refer to Release Notes Language Style Guide to write a quality release note.

None

@ti-chi-bot
Copy link
Member

[REVIEW NOTIFICATION]

This pull request has not been approved.

To complete the pull request process, please ask the reviewers in the list to review by filling /cc @reviewer in the comment.
After your PR has acquired the required number of LGTMs, you can assign this pull request to the committer in the list by filling /assign @committer in the comment to help you merge this pull request.

The full list of commands accepted by this bot can be found here.

Reviewer can indicate their review by submitting an approval review.
Reviewer can cancel approval by submitting a request changes review.

@ti-chi-bot ti-chi-bot added release-note-none Denotes a PR that doesn't merit a release note. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Apr 14, 2022
@lichunzhu lichunzhu added component/lightning This issue is related to Lightning of TiDB. component/dumpling This is related to Dumpling of TiDB. labels Apr 14, 2022
@sre-bot
Copy link
Contributor

sre-bot commented Apr 14, 2022

Code Coverage Details: https://codecov.io/github/pingcap/tidb/commit/2cca99b40498ec083c154ba0ca907dc106cf0f8b

@s3nt3 s3nt3 closed this Apr 15, 2022
@s3nt3 s3nt3 closed this Apr 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
component/dumpling This is related to Dumpling of TiDB. component/lightning This issue is related to Lightning of TiDB. release-note-none Denotes a PR that doesn't merit a release note. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

br: using EscapeSQL to enhance SQL formatting in dumping & lightning
4 participants
@s3nt3 @ti-chi-bot @sre-bot @lichunzhu