From: | Heikki Linnakangas <hlinnakangas(at)vmware(dot)com> |
---|---|
To: | Alvaro Herrera <alvherre(at)2ndquadrant(dot)com> |
Cc: | "Faith, Jeremy" <jfaith(at)tycoint(dot)com>, "pgsql-odbc(at)postgresql(dot)org" <pgsql-odbc(at)postgresql(dot)org> |
Subject: | Re: SQL_CURSOR_TYPE prepare execute issue |
Date: | 2015-01-15 18:17:27 |
Message-ID: | 54B80437.7090406@vmware.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-odbc |
On 01/15/2015 06:02 PM, Alvaro Herrera wrote:
> Heikki Linnakangas wrote:
>
>>> I have had a quick look over the change and it looks ok to me. Something of a clean up and simplification as well.
>>> If I understand it correctly, the only things that don't get quoted are SQL_INTEGER and SQL_SMALLINT that pass the new valid_int_literal() test.
>>> The only thing I can see that could pass that test and not be a valid integer would be a single minus char i.e. "-"
>>> not sure if there is anyway that could be vulnerable though.
>>
>> Ah, good catch. That is definitely a problem. Consider:
>>
>> SELECT * FROM foo WHERE 1-? > 0
>>
>> If you replace ? with -, it becomes "--", which comments out the rest of the
>> query. That's actually a problem with any negative number.
>>
>> It would be tempting to just always quote the value, but that again would
>> lead to subtle changes in the datatype that the server chooses.
>
> Maybe you can "quote" it with whitespace, so that it becomes
>
> SELECT * FROM foo WHERE 1- -1 > 0
>
> which is no longer a comment and has no other side effect.
Hmm. Strictly speaking, -1 is interpreted as -(1) by the server. Usually
it doesn't make any difference, but see:
postgres=# select -32768::smallint;
ERROR: smallint out of range
postgres=# select (-32768)::smallint;
int2
--------
-32768
(1 row)
It also affects the automatically chosen column name:
postgres=# select -1::int4;
?column?
----------
-1
(1 row)
postgres=# select (-1)::int4;
int4
------
-1
(1 row)
On the whole, using parens seems better.
- Heikki
From | Date | Subject | |
---|---|---|---|
Next Message | Michael Paquier | 2015-01-16 00:03:07 | Re: Time for a new release? (was Re: SQL_CURSOR_TYPE prepare execute issue) |
Previous Message | Alvaro Herrera | 2015-01-15 16:02:37 | Re: SQL_CURSOR_TYPE prepare execute issue |