Resolving comments

Author: jahnvi480

mssql_python/pybind/ddbc_bindings.cpp

@@ -205,7 +205,7 @@ static py::str DecodingString(const char* data, size_t length,
                               const std::string& errors = "strict") {
     try {
         py::gil_scoped_acquire gil;
-        py::bytes byte_data = py::bytes(std::string(data, length));
+        py::bytes byte_data = py::bytes(data, length);
 
         // Direct decoding - let Python handle errors strictly
         py::str decoded = byte_data.attr("decode")(encoding, errors);
@@ -410,28 +410,37 @@ SQLRETURN BindParameters(SQLHANDLE hStmt, const py::list& params,
                 std::string strValue;
 
                 // Check if we have encoding settings and this is SQL_C_CHAR (not SQL_C_WCHAR)
-                if (encoding_settings && !encoding_settings.is_none() && 
-                    encoding_settings.contains("ctype") && 
-                    encoding_settings.contains("encoding")) {
-                    
-                    SQLSMALLINT ctype = encoding_settings["ctype"].cast<SQLSMALLINT>();
-                    
-                    // Only use dynamic encoding for SQL_C_CHAR, keep SQL_C_WCHAR unchanged
-                    if (ctype == SQL_C_CHAR) {
-                        try {
-                            py::dict settings_dict = encoding_settings.cast<py::dict>();
-                            auto [encoding, errors] = extract_encoding_settings(settings_dict);
-                            
-                            // Use our safe encoding function
-                            py::bytes encoded_bytes = EncodingString(param.cast<std::string>(), encoding, errors);
-                            strValue = encoded_bytes.cast<std::string>();
+                if (encoding_settings && !encoding_settings.is_none()) {
+                    try {
+                        // SECURITY: Use extract_encoding_settings for full validation
+                        // This validates encoding against allowlist and error mode
+                        py::dict settings_dict = encoding_settings.cast<py::dict>();
+                        auto [encoding, errors] = extract_encoding_settings(settings_dict);
+                        
+                        // Validate ctype against allowlist
+                        if (settings_dict.contains("ctype")) {
+                            SQLSMALLINT ctype = settings_dict["ctype"].cast<SQLSMALLINT>();
 
-                        } catch (const std::exception& e) {
-                            LOG("Encoding failed for parameter {}: {}", paramIndex, e.what());
-                            ThrowStdException("Failed to encode parameter " + std::to_string(paramIndex) + ": " + e.what());
+                            // Only SQL_C_CHAR and SQL_C_WCHAR are allowed
+                            if (ctype != SQL_C_CHAR && ctype != SQL_C_WCHAR) {
+                                LOG("Invalid ctype {} for parameter {}, using default", ctype, paramIndex);
+                                // Fall through to default behavior
+                                strValue = param.cast<std::string>();
+                            } else if (ctype == SQL_C_CHAR) {
+                                // Only use dynamic encoding for SQL_C_CHAR
+                                py::bytes encoded_bytes = EncodingString(param.cast<std::string>(), encoding, errors);
+                                strValue = encoded_bytes.cast<std::string>();
+                            } else {
+                                // SQL_C_WCHAR - use default behavior
+                                strValue = param.cast<std::string>();
+                            }
+                        } else {
+                            // No ctype specified, use default behavior
+                            strValue = param.cast<std::string>();
                         }
-                    } else {
-                        // Default behavior for other types
+                    } catch (const std::exception& e) {
+                        LOG("Encoding settings processing failed for parameter {}: {}. Using default.", paramIndex, e.what());
+                        // Fall back to safe default behavior
                         strValue = param.cast<std::string>();
                     }
                 } else {

tests/test_011_encoding_decoding.py

@@ -3170,9 +3170,9 @@ def test_gbk_encoding_chinese_simplified(db_connection):
                 cursor.execute("INSERT INTO #test_gbk VALUES (?, ?)", 1, chinese_text)
                 cursor.execute("SELECT data FROM #test_gbk WHERE id = 1")
                 result = cursor.fetchone()
-                print(f"  Testing '{chinese_text}' ({meaning}): {safe_display(result[0])}")
+                print(f"  Testing {chinese_text!r} ({meaning}): {safe_display(result[0])}")
             else:
-                print(f"  Skipping '{chinese_text}' (not GBK compatible)")
+                print(f"  Skipping {chinese_text!r} (not GBK compatible)")
 
         print("="*60)
 
@@ -3204,9 +3204,9 @@ def test_big5_encoding_chinese_traditional(db_connection):
                 cursor.execute("INSERT INTO #test_big5 VALUES (?, ?)", 1, chinese_text)
                 cursor.execute("SELECT data FROM #test_big5 WHERE id = 1")
                 result = cursor.fetchone()
-                print(f"  Testing '{chinese_text}' ({meaning}): {safe_display(result[0])}")
+                print(f"  Testing {chinese_text!r} ({meaning}): {safe_display(result[0])}")
             else:
-                print(f"  Skipping '{chinese_text}' (not Big5 compatible)")
+                print(f"  Skipping {chinese_text!r} (not Big5 compatible)")
 
         print("="*60)
 
@@ -3238,9 +3238,9 @@ def test_shift_jis_encoding_japanese(db_connection):
                 cursor.execute("INSERT INTO #test_sjis VALUES (?, ?)", 1, japanese_text)
                 cursor.execute("SELECT data FROM #test_sjis WHERE id = 1")
                 result = cursor.fetchone()
-                print(f"  Testing '{japanese_text}' ({meaning}): {safe_display(result[0])}")
+                print(f"  Testing {japanese_text!r} ({meaning}): {safe_display(result[0])}")
             else:
-                print(f"  Skipping '{japanese_text}' (not Shift-JIS compatible)")
+                print(f"  Skipping {japanese_text!r} (not Shift-JIS compatible)")
 
         print("="*60)
 
@@ -3273,9 +3273,9 @@ def test_euc_kr_encoding_korean(db_connection):
                 cursor.execute("INSERT INTO #test_euckr VALUES (?, ?)", 1, korean_text)
                 cursor.execute("SELECT data FROM #test_euckr WHERE id = 1")
                 result = cursor.fetchone()
-                print(f"  Testing '{korean_text}' ({meaning}): {safe_display(result[0])}")
+                print(f"  Testing {korean_text!r} ({meaning}): {safe_display(result[0])}")
             else:
-                print(f"  Skipping '{korean_text}' (not EUC-KR compatible)")
+                print(f"  Skipping {korean_text!r} (not EUC-KR compatible)")
 
         print("="*60)
 
@@ -3315,10 +3315,10 @@ def test_latin1_encoding_western_european(db_connection):
                 cursor.execute("INSERT INTO #test_latin1 VALUES (?, ?)", 1, text)
                 cursor.execute("SELECT data FROM #test_latin1 WHERE id = 1")
                 result = cursor.fetchone()
-                match = "✓" if result[0] == text else "✗"
-                print(f"  {match} {description:15} | '{text}' -> '{result[0]}'")
+                match = "PASS" if result[0] == text else "FAIL"
+                print(f"  {match} {description:15} | {text!r} -> {result[0]!r}")
             else:
-                print(f"  ✗ {description:15} | Not Latin-1 compatible")
+                print(f"  SKIP {description:15} | Not Latin-1 compatible")
 
         print("="*60)
 
@@ -3353,10 +3353,10 @@ def test_cp1252_encoding_windows_western(db_connection):
                 cursor.execute("INSERT INTO #test_cp1252 VALUES (?, ?)", 1, text)
                 cursor.execute("SELECT data FROM #test_cp1252 WHERE id = 1")
                 result = cursor.fetchone()
-                match = "✓" if result[0] == text else "✗"
-                print(f"  {match} {description:15} | '{text}' -> '{result[0]}'")
+                match = "PASS" if result[0] == text else "FAIL"
+                print(f"  {match} {description:15} | {text!r} -> {result[0]!r}")
             else:
-                print(f"  ✗ {description:15} | Not CP1252 compatible")
+                print(f"  SKIP {description:15} | Not CP1252 compatible")
 
         print("="*60)
 
@@ -3504,8 +3504,9 @@ def test_utf16_unicode_preservation(db_connection):
             cursor.execute("INSERT INTO #test_utf16 VALUES (?, ?)", 1, text)
             cursor.execute("SELECT data FROM #test_utf16 WHERE id = 1")
             result = cursor.fetchone()
-            match = "✓" if result[0] == text else "✗"
-            print(f"  {match} {description:10} | '{text}' -> '{result[0]}'")
+            match = "PASS" if result[0] == text else "FAIL"
+            # Use repr() to avoid console encoding issues on Windows
+            print(f"  {match} {description:10} | {text!r} -> {result[0]!r}")
             assert result[0] == text, f"UTF-16 should preserve {description}"
 
         print("="*60)
@@ -3540,7 +3541,7 @@ def test_encoding_error_strict_mode(db_connection):
         print("="*60)
 
         for text, description in non_ascii_strings:
-            print(f"\nTesting ASCII encoding with '{text}' ({description})...")
+            print(f"\nTesting ASCII encoding with {description!r}...")
             try:
                 cursor.execute("INSERT INTO #test_strict VALUES (?, ?)", 1, text)
                 cursor.execute("SELECT data FROM #test_strict WHERE id = 1")