[Freeswitch-users] High load on database server
Ken Rice
krice at freeswitch.org
Thu Oct 27 23:35:56 MSD 2011
Hey Anthony,
I think he¹s being a little confused here...
What tony is refering to, is stacked statements ³select * from foo; update
bar set foo=bar; some other statement;²
Allowing stacked statements in 1 call over ODBC is bad mojo that¹s exactly
host most sql injections work in the first place
³select * from users where username = Œ$USERNAME¹² ... Replace $USERNAME
with the next line
Œ; UPDATE users set password=NEWPASSWORD where username = Œadmin¹; --
Boom sql injection... Now there are other ways to protect against this like
properly escaping input from 3rd parties going into your sql statements but
it still happens all the time...
This is one of the main reasons I use prepared statements on Postgresql
cause it stops this sort of behavior cold in its tracks... You should still
properly escape inputs but the extra layer is worth it
On 10/27/11 2:08 PM, "Anthony Minessale" <anthony.minessale at gmail.com>
wrote:
> Blah,
>
> I said I don't like mysql, but ok I'll look it up for you.......
>
> http://www.mail-archive.com/profox@leafe.com/msg33150.html
>
> AND
>
> http://dev.mysql.com/doc/refman/5.0/en/connector-odbc-configuration-connection
> -parameters.html
> search for 'FLAG_MULTI_STATEMENTS'
>
> From our own FS resources:
>
> http://wiki.freeswitch.org/wiki/Using_ODBC_in_the_core#CentOS_5.2
>
http://www.mail-archive.com/freeswitch-users@lists.freeswitch.org/msg19883.htm>
l
>
> or
>
> http://tinyurl.com/4xo26sv
>
>
>
>
>
>
> On Thu, Oct 27, 2011 at 1:29 PM, Hynek Cihlar <hynek.cihlar at gmail.com> wrote:
>> Transactions are by default supported by mysql, the transactions are driven
>> by sql statements themselves.
>>
>> Your statement is either incorrect or I interpret it wrong.
>>
>>
>> Sent from my mobile device
>>
>> On Oct 27, 2011, at 20:09, Anthony Minessale <anthony.minessale at gmail.com>
>> wrote:
>>
>>> mysql does not work with transactions by default in defense of injection
>>> attacks... read the thread its in the top.
>>>
>>>
>>> On Thu, Oct 27, 2011 at 1:07 PM, Madovsky < <mailto:infos at madovsky.org>
>>> infos at madovsky.org> wrote:
>>>> Thanks Ken. here the link of official SIPP website
>>>> <http://sipp.sourceforge.net/> http://sipp.sourceforge.net/
>>>>
>>>> I didn't know it was a HP app ! :0)
>>>>>
>>>>> ----- Original Message -----
>>>>>
>>>>> From: Ken Rice <mailto:krice at freeswitch.org>
>>>>>
>>>>> To: FreeSWITCH Users Help <mailto:freeswitch-users at lists.freeswitch.org>
>>>>>
>>>>> Sent: Thursday, October 27, 2011 1:54 PM
>>>>>
>>>>> Subject: Re: [Freeswitch-users] High load on database server
>>>>>
>>>>>
>>>>> SIPP works fine for this... However keep in mind some of their default
>>>>> scenario files arent exactly the best in the world and can in many
>>>>> situations leave a bit to be desired... Check the wiki I think there is
>>>>> more info on this on there
>>>>>
>>>>> K
>>>>>
>>>>>
>>>>> On 10/27/11 12:51 PM, "Madovsky" < <mailto:infos at madovsky.org>
>>>>> infos at madovsky.org> wrote:
>>>>>
>>>>>
>>>>>> on this subject,
>>>>>> is SIPp can be used to test to reproduce hundreds calls ?
>>>>>>
>>>>>>>
>>>>>>> ----- Original Message -----
>>>>>>>
>>>>>>> From: Anthony Minessale < <mailto:anthony.minessale at gmail.com>
>>>>>>> mailto:anthony.minessale at gmail.com>
>>>>>>>
>>>>>>> To: FreeSWITCH Users Help <
>>>>>>> <mailto:freeswitch-users at lists.freeswitch.org>
>>>>>>> mailto:freeswitch-users at lists.freeswitch.org>
>>>>>>>
>>>>>>> Sent: Thursday, October 27, 2011 1:39 PM
>>>>>>>
>>>>>>> Subject: Re: [Freeswitch-users] High load on database server
>>>>>>>
>>>>>>>
>>>>>>> BTW I know it's a contradiction to tell you to consider older ODBC and
>>>>>>> newer FS but I wrote FS so I can attest to its stability especially
>>>>>>> the ODBC code in the core.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Thu, Oct 27, 2011 at 12:36 PM, Anthony Minessale <
>>>>>>> <http://anthony.minessale@gmail.com> anthony.minessale at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>
Let's recap
You have 4 moving parts, you have various versions of all 4 to choose
from and even different implementations of 3 of the 4.
ODBC LIB
ODBC DRIVER
DATABASE
FS
You must choose a stable combination of all 4 which may require specific
configuration of each component as well.
My only issue is FUD, I do not want people to advertise that FS does not
work on ODBC under load when the whole story is FS does not work under
load when you use fooODBC with barDRIVER with basBASE database server
configured a particular way.
It should never crash, if it does, its a bug in something. I can speak
for FS that there is no bug there. The other 3 are variables.
Remember this next time there is a discussion about using system libs and
why we build our own depends. The one thing we use system libs for, ODBC,
is a huge PITA.........
Things to remember:
1) try the Threading=0 in the odbcinst.ini, this is a serious problem and
has been made the default in latest versions.
2) If you must use Mysql, enable transactions and make sure your odbc.ini
is referencing the threadsafe version of the lib
libmyodbc3_r.so <-- note _r
3) Try various combos of drivers and odbc libs, many time newer is not
better, stable versions lie in the past.
4) build the drivers and odbc yourself or get the debug symbols so you can
get a backtrace, you could be finding a bug for them.......
5) Find a test to reproduce your problem so you can try different database
engines and driver combos.
6) Make sure you are on latest FS git so you know you have a stable copy.
Anyway, this is a pain, that's why ppl pay you to do it.
Discuss this all you want here, just minimize any FUD to scare away people
who want to use it.
On Thu, Oct 27, 2011 at 12:24 PM, Hynek Cihlar <
<http://hynek.cihlar@gmail.com> hynek.cihlar at gmail.com> wrote:
Do not agree. Issues happening under extreme cases like high load with
some specific conditions are hard to reproduce, sharing the
information in this case is a lot more efficient, for all.
Sent from my mobile device
On Oct 27, 2011, at 18:56, Robert Huddleston <
<http://rhuddleston@gmail.com> rhuddleston at gmail.com> wrote:
> My bologna has a first name - it's O S C A R...
>
> This topic is getting really old... I have to agree with Antm - get out of
> the lazy pants and do some research / hard work.
>
>
> -----Original Message-----
> From: <http://freeswitch-users-bounces@lists.freeswitch.org>
freeswitch-users-bounces at lists.freeswitch.org
> [ <mailto:freeswitch-users-bounces at lists.freeswitch.org>
mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Sergey
> Okhapkin
> Sent: Thursday, October 27, 2011 12:43 PM
> To: FreeSWITCH Users Help
> Subject: Re: [Freeswitch-users] High load on database server
>
> What do you mean "shared ODBC"?
>
> On Thursday 27 October 2011, Madovsky wrote:
>> but, is anyone experienced that with shared ODBC ? (managing more than 330
>> concurrent calls)
>>
>> ----- Original Message -----
>> From: "Madovsky" < <http://infos@madovsky.org> infos at madovsky.org>
>> To: "FreeSWITCH Users Help" <
<http://freeswitch-users@lists.freeswitch.org>
freeswitch-users at lists.freeswitch.org>
>> Sent: Thursday, October 27, 2011 12:33 PM
>> Subject: Re: [Freeswitch-users] High load on database server
>>
>>> ha ok, good luck so
>>>
>>> ----- Original Message -----
>>> From: "Cliff Wells" < <http://cliff@develix.com> cliff at develix.com>
>>> To: "FreeSWITCH Users Help" <
<http://freeswitch-users@lists.freeswitch.org>
freeswitch-users at lists.freeswitch.org>
>>> Sent: Thursday, October 27, 2011 12:26 PM
>>> Subject: Re: [Freeswitch-users] High load on database server
>>>
>>>> On Thu, 2011-10-27 at 11:55 -0400, Madovsky wrote:
>>>>> I means that depend the quality of your script ;)
>>>>
>>>> Quality isn't the issue here. The script is too simple to be incorrect
>>>> (and it carefully releases the odbc connection back to the pool in a
>>>> hangup handler). I have written poor-quality code plenty of times, but
>>>> 25 years as a programmer usually allows me the luxury of knowing when
>>>> I'm doing it, thanks.
>>>>
>>>> In any case, Lua scripts work fine. Google will tell you that unixODBC
>>>> before 2.3.0 was a bit of a mess, so I expect the issue lies there, but
>>>> again, I emphasize, everything WORKS GREAT (been using it for a couple
>>>> of years now) until you get to very high concurrency (about 330
>>>> concurrent calls on a single system). If you don't expect to handle
>>>> more than 300 concurrent calls, then you do not need to worry about it.
>>>> At all.
>>>>
>>>> Regards,
>>>> Cliff
>>>>
>>>>
>>>>
>>>> FreeSWITCH-users mailing list
>>>> <http://FreeSWITCH-users@lists.freeswitch.org>
FreeSWITCH-users at lists.freeswitch.org
>>>> <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>
> UNSUBSCRIBE: <http://lists.freeswitch.org/mailman/options/freeswitch-users>
http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> <http://www.freeswitch.org> http://www.freeswitch.org
>>
>> FreeSWITCH-users mailing list
>> <http://FreeSWITCH-users@lists.freeswitch.org>
FreeSWITCH-users at lists.freeswitch.org
>> <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE: <http://lists.freeswitch.org/mailman/options/freeswitch-users>
http://lists.freeswitch.org/mailman/options/freeswitch-users
>> <http://www.freeswitch.org> http://www.freeswitch.org
>
>
>
> FreeSWITCH-users mailing list
> <http://FreeSWITCH-users@lists.freeswitch.org>
FreeSWITCH-users at lists.freeswitch.org
> <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE: <http://lists.freeswitch.org/mailman/options/freeswitch-users>
http://lists.freeswitch.org/mailman/options/freeswitch-users
> <http://www.freeswitch.org> http://www.freeswitch.org
>
>
>
> FreeSWITCH-users mailing list
> <http://FreeSWITCH-users@lists.freeswitch.org>
FreeSWITCH-users at lists.freeswitch.org
> <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE: <http://lists.freeswitch.org/mailman/options/freeswitch-users>
http://lists.freeswitch.org/mailman/options/freeswitch-users
> <http://www.freeswitch.org> http://www.freeswitch.org
FreeSWITCH-users mailing list
<http://FreeSWITCH-users@lists.freeswitch.org>
FreeSWITCH-users at lists.freeswitch.org
<http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE: <http://lists.freeswitch.org/mailman/options/freeswitch-users>
http://lists.freeswitch.org/mailman/options/freeswitch-users
<http://www.freeswitch.org> http://www.freeswitch.org
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> FreeSWITCH-users mailing list
>>>>> <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:
>>>>> <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>> <http://www.freeswitch.org> http://www.freeswitch.org
>>>>>
>>>>
>>>>
>>>> FreeSWITCH-users mailing list
>>>> <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE: <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> <http://www.freeswitch.org> http://www.freeswitch.org
>>>>
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20111027/42690eb3/attachment-0001.html
Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users
mailing list