empire-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From McKinley <mckinley1...@gmail.com>
Subject Re: DataType.AUTOINC Probably Needs a Change
Date Sun, 24 Jan 2010 22:02:36 GMT
I guess this is the same for AUTOINC and INTEGER now that I test it. I
had assumed that it was only happening to AUTOINC because the data
type was falling through a case statement.  But here is an example. I
think it is not safe. Yes, the developer should be doing their own
checks, but if a developer gets a value from the web it will always be
a string.

        Connection conn = env.getConnection();
        DBDatabaseDriverMSSQL driver = new DBDatabaseDriverMSSQL();
        qscDB.open(driver, conn);
        DBCommand cmd = db.createCommand();

        DBTableColumn id;
    	DBTableColumn name;
    	
    	DBTable table1 = new DBTable("table1", db);
    	id = table1.addColumn("id", DataType.AUTOINC, 10.0, false, null);
    	name = table1.addColumn("name", DataType.TEXT, false, 20.0, false, null);
    	table1.setPrimaryKey(id);
    	
    	String userInput = "0; update some_table set password = 'cracked'; -- ";
    	
    	cmd.select(id, name);
    	cmd.where(id.is(userInput));
        System.out.print(cmd.getSelect());

// output
// SELECT t33.id, t33.name
// FROM table1 t33
// WHERE t33.id=0; update some_table set password = 'cracked'; --

On Sun, Jan 24, 2010 at 9:26 PM, Rainer Döbele <doebele@esteam.de> wrote:
> Where exactly is the safety issue in the WHERE clause?
> We should consider just adding the same checks as for the other numeric types.

Mime
View raw message