字符串末尾的反斜杠在插入InfluxDB时导致错误

Question

I have a string:

string = "\\"
puts string
# => \

I am interpolating this into a new string and sending to a database. However the database (InfluxDB) uses backslashes as escape characters so pushing this string can cause an error.

For example, if I pass the following to Influx it will cause an "unterminated string" error:

insert_cmd = <<-TXT
  INSERT INTO my_db.default.my_measurement,my_tag=1 my_val="#{string}"
TXT

My question is how can I replace \\ in a string with \\\\ (two actual backslashes).

I have it working with gsub("\\\\", "\\\\\\\\\\\\") but I don't understand why this works and the following doesn't:

string.gsub("\\", "\\\\")
# SyntaxError: (irb):10: syntax error, unexpected $undefined, expecting end-of-input

Why doesn't this work? Why does gsub("\\\\", "\\\\\\\\\\\\") work? Is there a better way?

---

solved

As I mentioned in a comment, actually I am not manually interpolating into a INSERT INTO string. I am using influxdb-ruby:

INFLUXDB_CLIENT.write_point("things", time: Time.now.to_i, values: { foo: "\\" })

It turns out this is a bug with that gem: https://github.com/influxdata/influxdb-ruby/issues/200

It is fixed in v 0.4.2 and i was using 0.4.1

Answer 1

You just use parameterized query strings:

INSERT INTO my_db.default.my_measurement,my_tag=1 my_val=%{1}

Where when you call it you do this:

influxdb.query("...query...", params: [ string ])

What you did was create a classic injection bug by sending unescaped data into a query. The same principle applies in any database with a plain-text string representation, or even other data formats like HTML and JavaScript.