{"id":502,"date":"2009-02-12T06:38:11","date_gmt":"2009-02-12T04:38:11","guid":{"rendered":"http:\/\/code.openark.org\/blog\/?p=502"},"modified":"2009-02-12T07:50:52","modified_gmt":"2009-02-12T05:50:52","slug":"is-a-valid-column-name","status":"publish","type":"post","link":"https:\/\/code.openark.org\/blog\/mysql\/is-a-valid-column-name","title":{"rendered":"`;`.`*`.`.` is a valid column name"},"content":{"rendered":"

And the following query:<\/p>\n

\n
SELECT `;`.`*`.`.` FROM `;`.`*`;<\/pre>\n<\/blockquote>\n
is valid as well. So are the following:<\/p>\n
\n
DROP DATABASE IF EXISTS `;`;\r\nCREATE DATABASE `;`;\r\nCREATE TABLE `;`.`*` (`.` INT);\r\nCREATE TABLE `;`.```` (`.` INT);\r\nCREATE TABLE `;`.`$(ls)` (`.` INT);<\/pre>\n<\/blockquote>\n
So, on my Linux machine:<\/p>\n
\n
root@mymachine:\/usr\/local\/mysql\/data# ls -l\r\ntotal 30172\r\ndrwx------ 2 mysql mysql     4096 2009-01-11 08:00 ;\r\n-rw-rw---- 1 mysql mysql 18874368 2009-01-09 19:08 ibdata1\r\n-rw-rw---- 1 mysql mysql  5242880 2009-01-09 19:08 ib_logfile0\r\n-rw-rw---- 1 mysql mysql  5242880 2009-01-09 19:08 ib_logfile1\r\ndrwxr-x--- 2 mysql mysql     4096 2008-12-09 11:38 mysql\r\n-rw-rw---- 1 mysql mysql  1423612 2009-01-11 08:00 mysql-bin.000001\r\n-rw-rw---- 1 mysql mysql       19 2009-01-04 09:05 mysql-bin.index\r\ndrwx------ 2 mysql mysql     4096 2008-12-21 13:58 sakila\r\n-rw-rw---- 1 mysql root      9783 2009-01-04 09:05 mymachine.err\r\n-rw-rw---- 1 mysql mysql        6 2009-01-04 09:05 mymachine\r\n.pid\r\ndrwx------ 2 mysql mysql     4096 2009-01-04 08:30 world<\/pre>\n<\/blockquote>\n
Well then…<\/p>\n
\n
root@mymachine:\/usr\/local\/mysql\/data# cd ;<\/strong>\r\nroot@mymachine:~#<\/pre>\n<\/blockquote>\n
Trying again:<\/p>\n
\n
root@mymachine:~# cd -<\/strong>\r\n\/usr\/local\/mysql\/data\r\nroot@mymachine:\/usr\/local\/mysql\/data# cd \";\"<\/strong>\r\nroot@mymachine:\/usr\/local\/mysql\/data\/;#<\/pre>\n<\/blockquote>\n
And now:<\/p>\n
\n
root@mymachine:\/usr\/local\/mysql\/data\/;# ls -l *.frm<\/strong>\r\n-rw-rw---- 1 mysql mysql 8554 2009-01-11 08:00 `.frm\r\n-rw-rw---- 1 mysql mysql 8554 2009-01-11 08:00 *.frm\r\n-rw-rw---- 1 mysql mysql 8554 2009-01-11 08:00 $(ls).frm<\/pre>\n<\/blockquote>\n
Oh, sorry, I meant:<\/p>\n
\n
root@mymachine:\/usr\/local\/mysql\/data\/;# ls -l \"*\".frm<\/strong>\r\n-rw-rw---- 1 mysql mysql 8554 2009-01-11 08:00 *.frm<\/pre>\n<\/blockquote>\n
Weird.<\/p>\n
As a nice surprise, though, the dot (.) is not allowed in database or table names (but is allowed in column names). Nor are the slash (\/) and backslash (\\). Look here<\/a> for more on this.<\/p>\n
Support for non English naming<\/h4>\n
I kinda new about this all along, but never thought of the consequences. It’s nice to have a relaxed naming rule (I can even name my tables in Hebrew if I like), but “nice” doesn’t always play along with “practical”.<\/p>\n
As a Hebrew speaker, I repeatedly encounter issues with using my language. In many applications Hebrew encoding is not supported (many times even UTF8 isn’t). Not to mention the fact that Hebrew is written from right to left. On many occasion I was irritated by the lack of support for non-English or non-ASCII characters.<\/p>\n
But not always and not everywhere. I’ve had my share of programming languages, and, to be honest, I never expected my programming language to support UTF8 encoding for function names, variables, modules, packages or whatever. Using “a-zA-Z0-9_” is just fine<\/em>. Many people who are not well familiar with English just name their variables in their native language, but written with English characters. This works well till you get someone from outside the country, who doesn’t speak the language and does not understand (nor can pronounce, nor has the matching keyboard layout or knows how to use it) the names.<\/p>\n
In the same way, I have no wish for my table names to be named in Hebrew, German or Japanese names. English is just fine<\/em>.<\/p>\n
Using non-letter characters just adds to the mess. Popular “command” characters such as ‘~’, ‘,’, ‘:’, ‘;’, ‘*’, ‘?’, ‘(‘, ‘$’ are better left alone. They don’t belong in database or table names (mapped to file names) or column names (internally handled by MySQL).<\/p>\n
English has become the de-facto<\/em> computer world language. Programming languages, file systems, TCP\/IP protocols, SQL: everything “speaks” English.<\/p>\n
Security<\/h4>\n
There’s another aspect, though: security. It may sound silly, but you can actually write complete scripts in a table’s name! Not wanting to give the wrong idea, I’m not presenting some table names which can wreak havoc on your machine if used improperly.<\/p>\n
But think about it: don’t we all use a couple of scripts which backup\/clean\/automate some stuff for us? Don’t these scripts just go ahead and read some table names, then do stuff on those tables? How well do they trust table names?<\/p>\n","protected":false},"excerpt":{"rendered":"
And the following query: SELECT `;`.`*`.`.` FROM `;`.`*`; is valid as well. So are the following: DROP DATABASE IF EXISTS `;`; CREATE DATABASE `;`; CREATE TABLE `;`.`*` (`.` INT); CREATE TABLE `;`.““ (`.` INT); CREATE TABLE `;`.`$(ls)` (`.` INT);<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"enabled":false},"version":2}},"categories":[5],"tags":[16,20],"class_list":["post-502","post","type-post","status-publish","format-standard","hentry","category-mysql","tag-security","tag-syntax"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2bZZp-86","_links":{"self":[{"href":"https:\/\/code.openark.org\/blog\/wp-json\/wp\/v2\/posts\/502","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/code.openark.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/code.openark.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/code.openark.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/code.openark.org\/blog\/wp-json\/wp\/v2\/comments?post=502"}],"version-history":[{"count":8,"href":"https:\/\/code.openark.org\/blog\/wp-json\/wp\/v2\/posts\/502\/revisions"}],"predecessor-version":[{"id":563,"href":"https:\/\/code.openark.org\/blog\/wp-json\/wp\/v2\/posts\/502\/revisions\/563"}],"wp:attachment":[{"href":"https:\/\/code.openark.org\/blog\/wp-json\/wp\/v2\/media?parent=502"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/code.openark.org\/blog\/wp-json\/wp\/v2\/categories?post=502"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/code.openark.org\/blog\/wp-json\/wp\/v2\/tags?post=502"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}