Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch to the official Python package to connect with the server #27

Open
KartikSoneji opened this issue Jun 3, 2021 · 1 comment
Open

Switch to the official Python package to connect with the server #27

KartikSoneji opened this issue Jun 3, 2021 · 1 comment
Labels
enhancement New feature or request

Comments

@KartikSoneji
Copy link

mariadb_kernel/mariadb_kernel/mariadb_client.py

Lines 21 to 27 in 0dddfe5

def run_command(self, code, timeout=-1, async_=False):
# Writing the cell code within a file and then sourcing it in the client
# offers us a lot of advantages.
# We avoid Pexpect's limitation of PC_MAX_CANON (1024) chars per line
# and we also avoid more nasty issues like MariaDB client behaviour
# sending continuation prompt when "\n" is received.

The current implementation of using the mariadb client cli has some limitations.

mariadb_kernel/mariadb_kernel/mariadb_client.py

Line 100 in 0dddfe5

def run_statement(self, code, timeout=-1):

The run_statement doesn't support parameter substitution, which can lead to unintentional SQL injections while adding more magics:

mariadb_kernel/mariadb_kernel/maria_magics/load.py

Line 46 in 362e378

use_csv_update_table_cmd = f"""LOAD DATA LOCAL INFILE '{self.csv_file_path}'

mariadb_kernel/mariadb_kernel/maria_magics/load.py

Line 57 in 362e378

f"select * from {self.table_name} limit 5;"

Security is not as much of an issue, but it can lead to issues with some commands, for example if the file is named ' a.csv.
Trying to escape these edge cases in Python will lead to an imperfect re-implementation of the escaping logic like the original connector.

Ideally, the run_statement method should accept a list of substitution parameters like the Python connector

cur.execute("INSERT INTO test.accounts(first_name, last_name, email, amount) VALUES (?, ?, ?, ?)",
      (first_name, last_name, email, amount))

mariadb_kernel/mariadb_kernel/mariadb_client.py

Line 50 in 0dddfe5

self.prompt = re.compile(r"MariaDB \[.*\]>[ \t]")

Listening for the MariaDB [] prompt causes some queries to never finish or truncate the output.
The Python connector will be more reliable as it is both officially supported and throughly tested.

image
@grooverdan grooverdan mentioned this issue Jul 7, 2022
Closed
@LinuxJedi
Copy link
Contributor

Whatever the fix for this ends up being it will likely also fix #20. I'm going to mark it as an enhancement even though it is borderline between bug and enhancement.

@LinuxJedi LinuxJedi added the enhancement New feature or request label Feb 1, 2023
@robertbindar robertbindar mentioned this issue Feb 22, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Milestone
No milestone
Development

No branches or pull requests
2 participants
@LinuxJedi @KartikSoneji