Re: SQL_CURSOR_TYPE prepare execute issue

Heikki Linnakangas wrote:

> >I have had a quick look over the change and it looks ok to me. Something of a clean up and simplification as well.
> >If I understand it correctly, the only things that don't get quoted are SQL_INTEGER and SQL_SMALLINT that pass the
newvalid_int_literal() test. 
> >The only thing I can see that could pass that test and not be a valid integer would be a single minus char i.e. "-"
> >not sure if there is anyway that could be vulnerable though.
>
> Ah, good catch. That is definitely a problem. Consider:
>
> SELECT * FROM foo WHERE 1-? > 0
>
> If you replace ? with -, it becomes "--", which comments out the rest of the
> query. That's actually a problem with any negative number.
>
> It would be tempting to just always quote the value, but that again would
> lead to subtle changes in the datatype that the server chooses.

Maybe you can "quote" it with whitespace, so that it becomes

SELECT * FROM foo WHERE 1- -1  > 0

which is no longer a comment and has no other side effect.

--
Álvaro Herrera                http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services