Page 1 of 1

[patch_done] passwords with ; in them

Posted: 03.03.2012, 13:17
by CompsSQL
one of our databases has a db-account that has a ; in the password (I am not the DBA and can not change this password)
As ; is used as a separator to pass information between the zeos objects, the password gets truncated at the ; sign.

To solve this, I have changed some code in zsysutils.pas (revision 1039):
(change = translate ; to \; when building the string, and translate \; back to ; when using it)

1. rewritten the FirstDelimiter function :

Code: Select all

function FirstDelimiter(const Delimiters, Str: string): Integer;
var I, Index, j: Integer;
    d          : Char;
begin
  Result := 0;
  for I := 1 to Length(Delimiters) do begin
    d := Delimiters[I];
    if (d = ';') and (Pos('\;', Str) > 0) then begin
      for j := 1 to Length(Str) do
        if Str[j] = ';' then begin
          if (j > 1) and (Str[j-1] = '\') then Continue;
          Index := j;
          Result := Index;
          Break;
        end;
    end else begin
      Index := Pos(d, Str);
      if (Index > 0) and ((Index < Result) or (Result = 0)) then
        Result := Index;
    end;
  end;
end;
2. modified the SplitToStringList procedure
2a. changed "List.Add(Copy(Str, 1, DelimPos - 1));" to

Code: Select all

List.Add(StringReplace(Copy(Str, 1, DelimPos - 1), '\;', ';', [rfReplaceAll]));
2b. changed "List.Add(Str);" to

Code: Select all

List.Add(StringReplace(Str, '\;', ';', [rfReplaceAll]));

Posted: 03.03.2012, 15:12
by EgonHugeist
Here i think it would be better to use some WhiteSpace like #9 which the user cant use (#9 = Tab so the cursor jumps out of the input field) instead of our ';'. You are right here i'll set it to my todo list.. But your improvement i cant accept. What if the next user uses a combination like 'ngdhfgh;\ztr'??

Best regards

Posted: 04.03.2012, 19:50
by CompsSQL
Agreed. My \; approach was not that good.
I like your #9 solution.
Thanks for the fast reply and excellent idea.
Looking forward to seeing it implemented.

Posted: 06.03.2012, 10:02
by EgonHugeist
Job done. #9 introduced as URL-Delimiter.

Checkout repository \testing rev. 1059 or \testing-egonhugeist rev 1060.

Btw. which compiler and which branch do you use?

Posted: 15.03.2012, 01:26
by mdaems
Maybe a stupid question, but doesn't this change the way people connect to the database when using the dbc layer directly? Or does this not impact the connect string structure?

Mark

Posted: 15.03.2012, 10:54
by EgonHugeist
Hmm Mark you're right here.

Why i did it:

After reporting this issue i've testet passwords, usernames and several aditional Params with ';' in the strings. The ZRUL results where really crazy there.
So i think this reported problem was a real leak we had here. (never reported before-> everything is possible)

Genererally is it possible to use all non Whitspaces in the URL-Strings. I'm a direct dbc user in my projects. But there i've copied the ConstructURL function in my projects.

Maybe it should be better if i export this function for the DbcConnection to avoid additional problems. And the users can easiely access this functions..

Michael

Posted: 25.04.2012, 20:56
by mdaems
Meanwhile we fixed this by introducing the ZURL object as the prefered container for connection properties which takes care of escaping special characters, ...

Functionality is unchanged for existing programs. However, now it's possible to store ; as part of the password which wasn't possible before.

This change also invoked an internal rewrite of the constructor code of ZDbcConnection classes (and descendants).

Mark