Re: SQL_CURSOR_TYPE prepare execute issue

On 01/15/2015 06:02 PM, Alvaro Herrera wrote:
> Heikki Linnakangas wrote:
>
>>> I have had a quick look over the change and it looks ok to me. Something of a clean up and simplification as well.
>>> If I understand it correctly, the only things that don't get quoted are SQL_INTEGER and SQL_SMALLINT that pass the new valid_int_literal() test.
>>> The only thing I can see that could pass that test and not be a valid integer would be a single minus char i.e. "-"
>>> not sure if there is anyway that could be vulnerable though.
>>
>> Ah, good catch. That is definitely a problem. Consider:
>>
>> SELECT * FROM foo WHERE 1-? > 0
>>
>> If you replace ? with -, it becomes "--", which comments out the rest of the
>> query. That's actually a problem with any negative number.
>>
>> It would be tempting to just always quote the value, but that again would
>> lead to subtle changes in the datatype that the server chooses.
>
> Maybe you can "quote" it with whitespace, so that it becomes
>
> SELECT * FROM foo WHERE 1- -1 > 0
>
> which is no longer a comment and has no other side effect.

Hmm. Strictly speaking, -1 is interpreted as -(1) by the server. Usually
it doesn't make any difference, but see:

postgres=# select -32768::smallint;
ERROR: smallint out of range
postgres=# select (-32768)::smallint;
int2
--------
-32768
(1 row)

It also affects the automatically chosen column name:

postgres=# select -1::int4;
?column?
----------
-1
(1 row)

postgres=# select (-1)::int4;
int4
------
-1
(1 row)

On the whole, using parens seems better.

- Heikki