[Freeswitch-users] High load on database server

Ken Rice krice at freeswitch.org
Thu Oct 27 23:35:56 MSD 2011


Hey Anthony,

I think he¹s being a little confused here...

What tony is refering to, is stacked statements   ³select * from foo; update
bar set foo=bar; some other statement;²

Allowing stacked statements in 1 call over ODBC is bad mojo that¹s exactly
host most sql injections work in the first place

³select * from users where username = Œ$USERNAME¹² ... Replace $USERNAME
with the next line

Œ;  UPDATE users set password=NEWPASSWORD where username = Œadmin¹; --

Boom sql injection... Now there are other ways to protect against this like
properly escaping input from 3rd parties going into your sql statements but
it still happens all the time...

This is one of the main reasons I use prepared statements on Postgresql
cause it stops this sort of behavior cold in its tracks... You should still
properly escape inputs but the extra layer is worth it




On 10/27/11 2:08 PM, "Anthony Minessale" <anthony.minessale at gmail.com>
wrote:

> Blah,
> 
> I said I don't like mysql, but ok I'll look it up for you.......
> 
> http://www.mail-archive.com/profox@leafe.com/msg33150.html
> 
> AND
> 
> http://dev.mysql.com/doc/refman/5.0/en/connector-odbc-configuration-connection
> -parameters.html
> search for 'FLAG_MULTI_STATEMENTS' 
> 
> From our own FS resources:
> 
> http://wiki.freeswitch.org/wiki/Using_ODBC_in_the_core#CentOS_5.2
> 
http://www.mail-archive.com/freeswitch-users@lists.freeswitch.org/msg19883.htm>
l
> 
> or 
> 
> http://tinyurl.com/4xo26sv
> 
> 
> 
> 
> 
> 
> On Thu, Oct 27, 2011 at 1:29 PM, Hynek Cihlar <hynek.cihlar at gmail.com> wrote:
>> Transactions are by default supported by mysql, the transactions are driven
>> by sql statements themselves. 
>> 
>> Your statement is either incorrect or I interpret it wrong. 
>> 
>> 
>> Sent from my mobile device
>> 
>> On Oct 27, 2011, at 20:09, Anthony Minessale <anthony.minessale at gmail.com>
>> wrote:
>> 
>>> mysql does not work with transactions by default in defense of injection
>>> attacks... read the thread its in the top.
>>> 
>>> 
>>> On Thu, Oct 27, 2011 at 1:07 PM, Madovsky < <mailto:infos at madovsky.org>
>>> infos at madovsky.org> wrote:
>>>> Thanks Ken. here the link of official SIPP website
>>>>  <http://sipp.sourceforge.net/> http://sipp.sourceforge.net/
>>>>  
>>>> I didn't know it was a HP app ! :0)
>>>>>  
>>>>> ----- Original Message -----
>>>>>  
>>>>> From:  Ken Rice <mailto:krice at freeswitch.org>
>>>>>  
>>>>> To: FreeSWITCH Users Help <mailto:freeswitch-users at lists.freeswitch.org>
>>>>>  
>>>>> Sent: Thursday, October 27, 2011 1:54  PM
>>>>>  
>>>>> Subject: Re: [Freeswitch-users] High load  on database server
>>>>>  
>>>>> 
>>>>> SIPP works fine for this... However keep in mind some  of their default
>>>>> scenario files arent exactly the best in the world and can in  many
>>>>> situations leave a bit to be desired... Check the wiki I think there is
>>>>> more info on this on there
>>>>> 
>>>>> K
>>>>> 
>>>>> 
>>>>> On 10/27/11 12:51 PM,  "Madovsky" < <mailto:infos at madovsky.org>
>>>>> infos at madovsky.org>  wrote:
>>>>> 
>>>>>  
>>>>>> on this subject,
>>>>>> is SIPp can be used to test to  reproduce hundreds calls ?
>>>>>>  
>>>>>>> 
>>>>>>> ----- Original Message -----
>>>>>>>  
>>>>>>> From:  Anthony Minessale < <mailto:anthony.minessale at gmail.com>
>>>>>>> mailto:anthony.minessale at gmail.com>   
>>>>>>>  
>>>>>>> To: FreeSWITCH Users Help <
>>>>>>> <mailto:freeswitch-users at lists.freeswitch.org>
>>>>>>> mailto:freeswitch-users at lists.freeswitch.org>    
>>>>>>>  
>>>>>>> Sent: Thursday, October 27, 2011 1:39   PM
>>>>>>>  
>>>>>>> Subject: Re: [Freeswitch-users] High load   on database server
>>>>>>>  
>>>>>>> 
>>>>>>> BTW I know it's a contradiction  to tell you to consider older  ODBC and
>>>>>>> newer FS but I wrote FS so I  can attest to its stability especially
>>>>>>>  the ODBC code in the core.
>>>>>>> 
>>>>>>>  
>>>>>>> 
>>>>>>>  
>>>>>>> 
>>>>>>> 
>>>>>>>  
>>>>>>> On Thu, Oct 27, 2011 at  12:36 PM, Anthony Minessale  <
>>>>>>> <http://anthony.minessale@gmail.com> anthony.minessale at gmail.com>
>>>>>>>  wrote:
>>>>>>>  
>>>>>>>  

Let's recap
 

 
You  have 4 moving parts, you have various versions of all 4 to choose
 from and even different implementations of 3 of the  4.
 

ODBC LIB 
ODBC  DRIVER
 
DATABASE
 
FS
 

 
You  must choose a stable combination of all 4 which may require   specific
configuration of each component as  well.
 

 
My only issue is FUD, I do not want  people to advertise that FS does  not
work on ODBC under load when  the whole story is FS does not work under
 load when you use  fooODBC with barDRIVER with basBASE database server
 configured a  particular way.
 

 
It should never crash, if it  does, its a bug in something.  I can  speak
for FS that there  is no bug there.  The other 3 are  variables.
 
Remember this next time there is a discussion about using  system libs  and
why we build our own depends.  The one thing  we use system libs  for, ODBC,
is a huge  PITA.........
 

 
Things to  remember:
 

 
1) try the Threading=0 in the  odbcinst.ini, this is a serious problem  and
has been made the  default in latest versions.
 
2) If you must use Mysql,  enable transactions and make sure your  odbc.ini
is referencing the  threadsafe version of the lib
 
     libmyodbc3_r.so <-- note  _r
 
3) Try various combos of drivers and odbc libs, many  time newer is not
 better, stable versions lie in the  past.
 
4) build the drivers and odbc yourself or get the  debug symbols so you  can
get a backtrace, you could be finding a  bug for them.......
 
5) Find a test to reproduce your  problem so you can try different  database
engines and driver  combos.
 
6) Make sure you are on latest FS git so you know  you have a stable   copy.
 

 

 
Anyway, this is a  pain, that's why ppl pay you to do it.
 
Discuss this all you  want here, just minimize any FUD to scare away  people
who want to  use  it.
 

 

 

 

 
 
 
 


 
On  Thu, Oct 27, 2011 at 12:24 PM, Hynek Cihlar <
<http://hynek.cihlar@gmail.com> hynek.cihlar at gmail.com>  wrote:
 
 
Do not agree. Issues happening under extreme  cases like  high load with
some specific conditions are hard  to reproduce, sharing  the
information in this case is a lot  more efficient, for all.
 

Sent from my mobile  device

 
 
 
On Oct 27, 2011, at 18:56,  Robert Huddleston <
<http://rhuddleston@gmail.com> rhuddleston at gmail.com>  wrote:

> My bologna  has a first name - it's O S C A  R...
>
> This topic is getting  really old... I have  to agree with Antm - get out of
> the lazy  pants and do  some research / hard work.
>
>
>  -----Original  Message-----
> From:  <http://freeswitch-users-bounces@lists.freeswitch.org>
freeswitch-users-bounces at lists.freeswitch.org
>   [ <mailto:freeswitch-users-bounces at lists.freeswitch.org>
mailto:freeswitch-users-bounces at lists.freeswitch.org]  On Behalf  Of Sergey
> Okhapkin
> Sent: Thursday,  October 27, 2011 12:43  PM
> To: FreeSWITCH Users  Help
> Subject: Re:  [Freeswitch-users] High load on  database server
>
> What do  you mean "shared  ODBC"?
>
> On Thursday 27 October 2011,  Madovsky  wrote:
>> but, is anyone experienced that with shared   ODBC ? (managing more than 330
>> concurrent   calls)
>>
>> ----- Original Message  -----
>>  From: "Madovsky" < <http://infos@madovsky.org> infos at madovsky.org>
>> To:  "FreeSWITCH Users  Help" <
<http://freeswitch-users@lists.freeswitch.org>
freeswitch-users at lists.freeswitch.org>
>>   Sent: Thursday, October 27, 2011 12:33 PM
>> Subject:  Re:  [Freeswitch-users] High load on database   server
>>
>>> ha ok, good luck   so
>>>
>>> ----- Original Message   -----
>>> From: "Cliff Wells" < <http://cliff@develix.com> cliff at develix.com>
>>> To:  "FreeSWITCH  Users Help" <
<http://freeswitch-users@lists.freeswitch.org>
freeswitch-users at lists.freeswitch.org>
>>>   Sent: Thursday, October 27, 2011 12:26 PM
>>>  Subject: Re:  [Freeswitch-users] High load on database   server
>>>
>>>> On Thu, 2011-10-27 at  11:55  -0400, Madovsky wrote:
>>>>> I means  that depend the  quality of your script  ;)
>>>>
>>>> Quality  isn't the  issue here.  The script is too simple to be   incorrect
>>>> (and it carefully releases the  odbc  connection back to the pool in a
>>>> hangup  handler).   I have written poor-quality code plenty of  times,  but
>>>> 25 years as a programmer usually  allows me the  luxury of knowing when
>>>> I'm  doing it,  thanks.
>>>>
>>>> In any  case, Lua scripts  work fine.  Google will tell you that  unixODBC
>>>>  before 2.3.0 was a bit of a mess,  so I expect the issue lies there,  but
>>>> again,  I emphasize, everything WORKS GREAT (been  using it for a  couple
>>>> of years now) until you get to  very  high concurrency (about 330
>>>> concurrent calls on a   single system).  If you don't expect to  handle
>>>>  more than 300 concurrent calls, then  you do not need to worry about  it.
>>>> At  all.
>>>>
>>>>   Regards,
>>>>   Cliff
>>>>
>>>>
>>>>
>>>>   FreeSWITCH-users mailing list
>>>>  <http://FreeSWITCH-users@lists.freeswitch.org>
FreeSWITCH-users at lists.freeswitch.org
>>>>    <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>
>   UNSUBSCRIBE: <http://lists.freeswitch.org/mailman/options/freeswitch-users>
http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>    <http://www.freeswitch.org> http://www.freeswitch.org
>>
>>   FreeSWITCH-users mailing list
>>  <http://FreeSWITCH-users@lists.freeswitch.org>
FreeSWITCH-users at lists.freeswitch.org
>>   <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>   UNSUBSCRIBE: <http://lists.freeswitch.org/mailman/options/freeswitch-users>
http://lists.freeswitch.org/mailman/options/freeswitch-users
>>    <http://www.freeswitch.org> http://www.freeswitch.org
>
>
>
>   FreeSWITCH-users mailing list
>  <http://FreeSWITCH-users@lists.freeswitch.org>
FreeSWITCH-users at lists.freeswitch.org
>   <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>   UNSUBSCRIBE: <http://lists.freeswitch.org/mailman/options/freeswitch-users>
http://lists.freeswitch.org/mailman/options/freeswitch-users
>    <http://www.freeswitch.org> http://www.freeswitch.org
>
>
>
>   FreeSWITCH-users mailing list
>  <http://FreeSWITCH-users@lists.freeswitch.org>
FreeSWITCH-users at lists.freeswitch.org
>   <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>   UNSUBSCRIBE: <http://lists.freeswitch.org/mailman/options/freeswitch-users>
http://lists.freeswitch.org/mailman/options/freeswitch-users
>    <http://www.freeswitch.org> http://www.freeswitch.org


FreeSWITCH-users   mailing list
 <http://FreeSWITCH-users@lists.freeswitch.org>
FreeSWITCH-users at lists.freeswitch.org
 <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE: <http://lists.freeswitch.org/mailman/options/freeswitch-users>
http://lists.freeswitch.org/mailman/options/freeswitch-users
 <http://www.freeswitch.org> http://www.freeswitch.org


 

 
>>>>>  
>>>>>  
>>>>> 
>>>>> 
>>>>>  
>>>>> 
>>>>> 
>>>>> FreeSWITCH-users mailing  list
>>>>>  <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>>  <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE: 
>>>>> <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>>  <http://www.freeswitch.org> http://www.freeswitch.org
>>>>> 
>>>> 
>>>> 
>>>> FreeSWITCH-users mailing list
>>>>  <mailto:FreeSWITCH-users at lists.freeswitch.org>
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>  <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE: <http://lists.freeswitch.org/mailman/options/freeswitch-users>
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>  <http://www.freeswitch.org> http://www.freeswitch.org
>>>> 
>>> 
>>> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20111027/42690eb3/attachment-0001.html 


Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list