Trilogy – GitHub-built MySQL client library written in C (opens in new tab)

(github.com)

29 pointsbrianmario4y ago5 comments

5 comments

Naming is hard and conflicts are easy, but this project clashes with my own project called Trilogy. Both for SQL-family, although mine is in the JavaScript realm. I'm not too surprised someone followed the logic did to get the name.

Not a huge project but has some users, and I still try to work on it to get the typings (TypeScript) where I want them.

https://github.com/citycide/trilogy

zodiakzz4y ago

>Only supports the parts of the text protocol that are in common use. There's no support for the binary protocol or prepared statements

Prepared statements are not in common use...? They must be talking about C language code I guess. How do C developers sanitize input?

brianmarioOP4y ago

The `trilogy_escape` call (https://github.com/github/trilogy/blob/main/inc/trilogy/clie...) should do it.

wahern4y ago

I wrote a non-blocking MySQL client C library about 10 years ago or so. I felt that requiring the caller to build up a query string across multiple statements made it too easy to forget and miss instances where quoting was needed. The nice thing about prepared statements is that even from a pure syntactic standpoint they force you to be explicit about the points where dynamic values are inserted.

So the high-level query function for the library was a variadic function that took a prepared statement-like string using unquoted literal `?' for parameters, and much like printf a very simple switch statement machine would iterate the query string and insert parameters itself, ensuring that quoting happened properly. (I forget how integers were handled; possibly with `#', or maybe some macro and type introspection hacks.) This way you could grep all lines where the query routine was invoked and verify that ? was in use. If ? was used, then clearly the developer was at least paying attention. Someone would have to go out of their way to use ? for some parameters, but manually and directly insert other parameters. Not an insurmountable barrier, but a tall one nonetheless for people even remotely conscious of security. The few places where ? wasn't used would standout and could more easily be reviewed.

Admittedly, this wasn't a complete solution, and normally I avoid stringy types and free-form string processing entirely when programming in C. But most uses of the library occurred from Lua via C bindings. You couldn't directly invoke a C variadic function from Lua, so Lua code actually called a query function that reimplemented that API, reusing the same low-level string escaping routine.

1 more reply

j / k navigate · click thread line to collapse