Parameterized LIKE results in fail
----------------------------------
Key: DNET-976
URL: http://tracker.firebirdsql.org/browse/DNET-976
Project: .NET Data provider
Issue Type: Bug
Components: NuGet packages
Affects Versions: 7.5.0.0
Environment: Windows 10 2004, Visual Studio 2019 Community Edition
16.7.7
Server runs on Windows Server 2019
Firbird Server 2.5.9
Reporter: Marvin Klein
Assignee: Jiri Cincura
Consider the following scenario.
Table: CUSTOMERS
Fields:
CUSTOMER_FIRSTNAME VARCHAR(10)
CUSTOMER_LASTNAME VARCHAR(15)
Now I have the follwing C# code
// Create connection
// Create Command
command.Parameters.AddWithValue("@SEARCH", $"%{search.ToUpper()}%");
command.CommandText = "SELECT * FROM CUSTOMERS WHERE CUSTOMER_FIRSTNAME LIKE
@SEARCH OR CUSTOMER_LASTNAME LIKE @SEARCH";
command.ExecuteQuery(); // do something with the command. This works fine as
long as my parameter search does not exceed 10 characters.
When you try this command with more than 10 characters, you get an exception.
However, doing the following does not result in an exception:
command.CommandText = $"SELECT * FROM CUSTOMERS WHERE CUSTOMER_FIRSTNAME LIKE
'%{search.ToUpper()}%' OR CUSTOMER_LASTNAME LIKE '%{search.ToUpper()}%' ";
command.ExecuteQuery(); // do something with the command, no exception
But using this way I am vulnerable to SQL-Injections.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://tracker.firebirdsql.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
Firebird-net-provider mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/firebird-net-provider
