Menu

#63 dynamic sql escape special character bug

open-fixed
Steve Viens
None
5
2003-08-12
2003-08-06
Jin Tong
No

In find_XXXXX methods, the SQLs are built dynamically
by appending to an existing buffer with new arguments.
SQL control characters are not properly escaped. For
example, if one string argument contains "'", the
resulting sql that is sent to the database will be
ill-formed and a resulting SQLException will usually be
thrown. This happens at least with MySQL and Oracle
database (and their default JDBC driver).

Discussion

  • Steve Viens

    Steve Viens - 2003-08-06
    • assigned_to: nobody --> sviens
     

  • Steve Viens

    Steve Viens - 2003-08-06
    • status: open --> closed
     

  • Steve Viens

    Steve Viens - 2003-08-06
    • status: closed --> closed-fixed
     

  • Steve Viens

    Steve Viens - 2003-08-06

    Logged In: YES
    user_id=73959

    Replaced use of JDBC Statement with PreparedStatement so
    that all SQL values are escaped by the JDBC driver.

    Steve

     

  • Jin Tong

    Jin Tong - 2003-08-12

    Logged In: YES
    user_id=830643

    Replacing with prepared statement this way doesn't solve the
    problem. The SQL parameters are still dynamically appended,
    all the control characters are still literally appended to
    the SQL. PreparedStatement handles the control characters
    when the parameters are set by setXXXX method on the
    PreparedStatement. As such, the CVS code (as of 08/12/2003)
    still doesn't handle control characters (such as "'") correctly.

     

  • Jin Tong

    Jin Tong - 2003-08-12
    • status: closed-fixed --> open-fixed
     

Log in to post a comment.

MongoDB Logo MongoDB