I guess this is the same for AUTOINC and INTEGER now that I test it. I
had assumed that it was only happening to AUTOINC because the data
type was falling through a case statement. But here is an example. I
think it is not safe. Yes, the developer should be doing their own
checks, but if a developer gets a value from the web it will always be
a string.
Connection conn = env.getConnection();
DBDatabaseDriverMSSQL driver = new DBDatabaseDriverMSSQL();
qscDB.open(driver, conn);
DBCommand cmd = db.createCommand();
DBTableColumn id;
DBTableColumn name;
DBTable table1 = new DBTable("table1", db);
id = table1.addColumn("id", DataType.AUTOINC, 10.0, false, null);
name = table1.addColumn("name", DataType.TEXT, false, 20.0, false,
null);
table1.setPrimaryKey(id);
String userInput = "0; update some_table set password = 'cracked'; -- ";
cmd.select(id, name);
cmd.where(id.is(userInput));
System.out.print(cmd.getSelect());
// output
// SELECT t33.id, t33.name
// FROM table1 t33
// WHERE t33.id=0; update some_table set password = 'cracked'; --
On Sun, Jan 24, 2010 at 9:26 PM, Rainer Döbele <[email protected]> wrote:
> Where exactly is the safety issue in the WHERE clause?
> We should consider just adding the same checks as for the other numeric types.
