Hi McKinley
Just to let you know:
In the Where clause of the DBCommand object we're not doing any type checks at
all.
Hence your SQL-Injection example below also works for other numeric columns.
The question is whether we should at this point or not.
We're doing type-checks when working with DBRecord objects.
They internally then use a DBCommand as well.
Adding a check in DBCommand would mean a double check.
I think the DBCommand is the lowest level.
All checks should be performed at a higher level in order to avoid Overhead.
Regards
Rainer
McKinley wrote:
> Re: DataType.AUTOINC Probably Needs a Change
>
> I guess this is the same for AUTOINC and INTEGER now that I test it. I
> had assumed that it was only happening to AUTOINC because the data
> type was falling through a case statement. But here is an example. I
> think it is not safe. Yes, the developer should be doing their own
> checks, but if a developer gets a value from the web it will always be
> a string.
>
> Connection conn = env.getConnection();
> DBDatabaseDriverMSSQL driver = new DBDatabaseDriverMSSQL();
> qscDB.open(driver, conn);
> DBCommand cmd = db.createCommand();
>
> DBTableColumn id;
> DBTableColumn name;
>
> DBTable table1 = new DBTable("table1", db);
> id = table1.addColumn("id", DataType.AUTOINC, 10.0, false, null);
> name = table1.addColumn("name", DataType.TEXT, false, 20.0,
> false, null);
> table1.setPrimaryKey(id);
>
> String userInput = "0; update some_table set password =
> 'cracked'; -- ";
>
> cmd.select(id, name);
> cmd.where(id.is(userInput));
> System.out.print(cmd.getSelect());
>
> // output
> // SELECT t33.id, t33.name
> // FROM table1 t33
> // WHERE t33.id=0; update some_table set password = 'cracked'; --
>
> On Sun, Jan 24, 2010 at 9:26 PM, Rainer Döbele <[email protected]>
> wrote:
> > Where exactly is the safety issue in the WHERE clause?
> > We should consider just adding the same checks as for the other
> numeric types.
