cppcms-users

[Cppcms-users] dbixx::sql truncates string!

[augustin <aug...@ov...>]

Hello,


I get a username and a password from a user and hash the password using md5():
        std::string pass_md5 = md5(password);
        memset (password, '*', 100); // Erase the password from memory.
        cout << "The md5 is: " << pass_md5 << endl;
        sql << "SELECT * FROM users WHERE name = ? AND pass = ?", username, 
pass_md5;
        if (sql.single(r)) { /* Login successful...*/    }

The (critical) problem is that the login is never successful because in the 
above query, the pass_md5 is truncated. The md5 hash is 32 characters long, 
but only the 20 first characters are kept in the query.
???

Is this a bug in the API, or am I doing wrong?


Also, for debugging purposes, how can I access the actual query sent to the 
sql server?


Augustin.





-- 
Friends: http://www.reuniting.info/ http://activistsolutions.org/
My projects:
http://astralcity.org/ http://3enjeux.overshoot.tv/ http://linux.overshoot.tv/ 
http://overshoot.tv/ http://charityware.info/ http://masquilier.org/
http://openteacher.info/ http://minguo.info/ 
http://www.wechange.org/ http://searching911.info/












.

Re: [Cppcms-users] dbixx::sql truncates string!

[augustin <aug...@ov...>]

Scratch that. What's being truncated is the sql query in the error log.

I still have a funny bug I can't quite figure out. What I need is the output of 
the full query sent to the sql server, so that I can do something like:
cerr << slq.query_string << endl;


Augustin.



-- 
Friends: http://www.reuniting.info/ http://activistsolutions.org/
My projects:
http://astralcity.org/ http://3enjeux.overshoot.tv/ http://linux.overshoot.tv/ 
http://overshoot.tv/ http://charityware.info/ http://masquilier.org/
http://openteacher.info/ http://minguo.info/ 
http://www.wechange.org/ http://searching911.info/












.

Re: [Cppcms-users] getting dbixx::sql full query string

[augustin <aug...@ov...>]

Oh my! There are days when I'm really ashamed of myself. I made a stupid 
mistake: I forgot I was using a development database where the values (user 
names) are different from the ones in the live DB and I used the wrong values 
during my testing.

Still, the truncated query in the error logs sent me down the wrong path, so 
I'd still like to know the following:

> Also, for debugging purposes, how can I access the actual query sent to
>  the  sql server?


Augustin.
 

-- 
Friends: http://www.reuniting.info/ http://activistsolutions.org/
My projects:
http://astralcity.org/ http://3enjeux.overshoot.tv/ http://linux.overshoot.tv/ 
http://overshoot.tv/ http://charityware.info/ http://masquilier.org/
http://openteacher.info/ http://minguo.info/ 
http://www.wechange.org/ http://searching911.info/












.

Re: [Cppcms-users] dbixx::sql truncates string!

[Artyom <art...@ya...>]

> I get a username and a password from a user and hash the  password using 
md5():
>         std::string pass_md5 =  md5(password);
>         memset (password, '*', 100); //  Erase the password from memory.
>         cout <<  "The md5 is: " << pass_md5 << endl;

What is md5 function? Is it cppcms::util::md5 or something else? Because
of so it creates 16 characters binary string and you probably 
need cppcms::util::md5hex
for 32 hexadecimal characters.

BTW I suggest to salt passwords to prevent using rainbow tables.

>          sql << "SELECT * FROM users WHERE name = ? AND pass = ?", username, 
> pass_md5;
>         if (sql.single(r)) { /* Login  successful...*/    }
> 
> The (critical) problem is that the login  is never successful because in the 
> above query, the pass_md5 is truncated.  The md5 hash is 32 characters long, 
> but only the 20 first characters are  kept in the query.
> ???

I tested this code works fine.

> 
> Is this a bug in the API, or am I doing  wrong?
> 
> 
> Also, for debugging purposes, how can I access the actual  query sent to the 
> sql server?
> 


If you still have issues
You can add debug printing in line 310 of session.cpp in function 
session::single
Before line:

        dbi_result res=dbi_conn_query(conn,escaped_query.c_str());

Add:

        std::cerr << "[" << escaped_query <<"]" << std::endl;

Also if exception is thrown
you can request query() parameter of dbixx_error.


Artyom



      

Re: [Cppcms-users] getting dbixx::session::escaped_query string

[augustin <aug...@ov...>]

On Monday 01 November 2010 03:29:39 pm Artyom wrote:
 
> What is md5 function? Is it cppcms::util::md5 or something else? Because
> of so it creates 16 characters binary string and you probably
> need cppcms::util::md5hex
> for 32 hexadecimal characters.


It was something else that I found elsewhere on the web.
I forgot you already provided the equivalent within the utils.
I now use cppcms::util::md5hex and it works equally well. Thanks.
 
> BTW I suggest to salt passwords to prevent using rainbow tables.

Yes, I will.

> You can add debug printing in line 310 of session.cpp in function
> session::single
> Before line:
> 
>         dbi_result res=dbi_conn_query(conn,escaped_query.c_str());
> 
> Add:
> 
>         std::cerr << "[" << escaped_query <<"]" << std::endl;
> 
> Also if exception is thrown
> you can request query() parameter of dbixx_error.

Can't dbixx::session::escaped_query be made public?
That would be useful both for bebugging and query logging purposes?

Maybe it would be safer to simply implement a getEscaped_query() function, but 
how could I use my own function to modify the query in other ways (e.g. 
automatically add a prefix to table names)?
Even if I make a class derived from dbixx::session, I still wouldn't be able 
to read AND modify the query as long as escaped_query is private, right?




 augustin.




-- 
Friends: http://www.reuniting.info/ http://activistsolutions.org/
My projects:
http://astralcity.org/ http://3enjeux.overshoot.tv/ http://linux.overshoot.tv/ 
http://overshoot.tv/ http://charityware.info/ http://masquilier.org/
http://openteacher.info/ http://minguo.info/ 
http://www.wechange.org/ http://searching911.info/












.

Re: [Cppcms-users] getting dbixx::session::escaped_query string

[Artyom <art...@ya...>]

> 
> Can't  dbixx::session::escaped_query be made public?
> That would be useful both for  bebugging and query logging purposes?
> 
> Maybe it would be safer to simply  implement a getEscaped_query() function, but 
>
> how could I use my own function  to modify the query in other ways (e.g. 
> automatically add a prefix to table  names)?

Probably I can add get_escaped_query() member function. And no, I can't make it 
public,
as it private variable used internally.

> Even if I make a class derived from dbixx::session, I still wouldn't  be able 
> to read AND modify the query as long as escaped_query is private,  right?
> 

dbixx::session is not intended to be derived from.


Artyom