[ https://issues.apache.org/jira/browse/OFBIZ-837?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Si Chen closed OFBIZ-837. ------------------------- Resolution: Fixed > EntityFunction.UPPER will crash if its argument contains apostrophes > -------------------------------------------------------------------- > > Key: OFBIZ-837 > URL: https://issues.apache.org/jira/browse/OFBIZ-837 > Project: OFBiz (The Open for Business Project) > Issue Type: Bug > Components: framework > Affects Versions: SVN trunk > Reporter: Leon Torres > Assigned To: Si Chen > Priority: Blocker > Attachments: EntityFunctionUpper.patch > > > If one makes a LIKE condition such as the following, > EntityExpr("firstName", true, EntityOperator.LIKE, "O'Donnell", true); > It gets mapped into an SQL expression: > FIRST_NAME LIKE UPPER('O'Donnell') > Which crashes because the apostrophe in O'Donnell was not escaped. > The reason for this is that when the condition is created by > EntityFunction.UPPER, it bypasses the usual string escaping that is performed > by the JDBC. That is, the entity engine is constructing the > UPPER('O'Donnell') string by hand and inserting it directly into an SQL > instruction, rather than using a safer prepared statement technique. > This bug crashes a bunch of screens all over that use the LIKE operation. It > also permits SQL injection attacks, which is the reason I made this a blocker > issue. > This issue was discovered on a client site running an older version of ofbiz > and has been confirmed in SVN. You can try it by searching for "O'Donnell" > or anything with an apostrophe in the party manager's find party screen. > I have a very simple fix which I'll attach after this that can be applied to > OFBiz since 3.0 at least. > Those of us who have older versions in production should probably consider > fixing this bug. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.