| From: | Alvaro Herrera <alvherre(at)2ndquadrant(dot)com> |
|---|---|
| To: | Heikki Linnakangas <hlinnakangas(at)vmware(dot)com> |
| Cc: | "Faith, Jeremy" <jfaith(at)tycoint(dot)com>, "pgsql-odbc(at)postgresql(dot)org" <pgsql-odbc(at)postgresql(dot)org> |
| Subject: | Re: SQL_CURSOR_TYPE prepare execute issue |
| Date: | 2015-01-15 16:02:37 |
| Message-ID: | 20150115160237.GQ1663@alvh.no-ip.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-odbc |
Heikki Linnakangas wrote:
> >I have had a quick look over the change and it looks ok to me. Something of a clean up and simplification as well.
> >If I understand it correctly, the only things that don't get quoted are SQL_INTEGER and SQL_SMALLINT that pass the new valid_int_literal() test.
> >The only thing I can see that could pass that test and not be a valid integer would be a single minus char i.e. "-"
> >not sure if there is anyway that could be vulnerable though.
>
> Ah, good catch. That is definitely a problem. Consider:
>
> SELECT * FROM foo WHERE 1-? > 0
>
> If you replace ? with -, it becomes "--", which comments out the rest of the
> query. That's actually a problem with any negative number.
>
> It would be tempting to just always quote the value, but that again would
> lead to subtle changes in the datatype that the server chooses.
Maybe you can "quote" it with whitespace, so that it becomes
SELECT * FROM foo WHERE 1- -1 > 0
which is no longer a comment and has no other side effect.
--
Álvaro Herrera http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Heikki Linnakangas | 2015-01-15 18:17:27 | Re: SQL_CURSOR_TYPE prepare execute issue |
| Previous Message | Heikki Linnakangas | 2015-01-15 15:58:47 | Re: SQL_CURSOR_TYPE prepare execute issue |