[jira] [Updated] (EMPIREDB-184) DBCompareColExpr does not properly escape characters when generating SQL

Mon, 12 Dec 2016 05:44:34 -0800 

     [ 
https://issues.apache.org/jira/browse/EMPIREDB-184?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

jan updated EMPIREDB-184:
-------------------------
    Fix Version/s:     (was: empire-db-2.4.5)
                   empire-db-2.4.6

> DBCompareColExpr does not properly escape characters when generating SQL
> ------------------------------------------------------------------------
>
>                 Key: EMPIREDB-184
>                 URL: https://issues.apache.org/jira/browse/EMPIREDB-184
>             Project: Empire-DB
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: empire-db-2.4.1
>            Reporter: Harald Kirsch
>            Assignee: jan
>             Fix For: empire-db-2.4.6
>
>
> When value=="\\something\\", the following code snippet generates an 
> exception:
>     DBCommand cmd = starSchema.createCommand();
>     cmd.select(d.getColumn(Naming.idCol()));
>     cmd.where(d.getKeyColumn().is(value));
>     DBReader r = new DBReader();
>     r.open(cmd, conn);
> The exception is:
> org.apache.empire.db.DBDatabaseDriver|Error executing query 'SELECT t2.ID
>  |FROM DIM_query t2
>  |WHERE t2.ORIGINAL_QUERY='\LCI\'' --> You have an error in your SQL syntax; 
> check the manual that corresponds to your MySQL server version for the right 
> syntax to use near ''\LCI\'' at line 3
>  |com.mysql.jdbc.exceptions.MySQLSyntaxErrorException: You have an error in 
> your SQL syntax; check the manual that corresponds to your MySQL server 
> version for the right syntax to use near ''\LCI\'' at line 3
>  |    at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:936)
>  |    at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:2985)
>  |    at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:1631)
>  |    at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:1723)
>  |    at com.mysql.jdbc.Connection.execSQL(Connection.java:3277)
>  |    at com.mysql.jdbc.Connection.execSQL(Connection.java:3206)
>  |    at com.mysql.jdbc.Statement.executeQuery(Statement.java:1232)
>  |    at 
> org.apache.empire.db.DBDatabaseDriver.executeQuery(DBDatabaseDriver.java:594)
>  |    at org.apache.empire.db.DBDatabase.executeQuery(DBDatabase.java:1381)
>  |    at org.apache.empire.db.DBReader.open(DBReader.java:413)
>  |    at org.apache.empire.db.DBReader.open(DBReader.java:431)
> My hunch is that  org.apache.empire.db.DBDatabaseDriver.appendSQLTextValue() 
> should probably take care of escaping characters that let the database throw 
> an exception. Currently the method only takes care of single quotes, but this 
> is seemingly not enough, at least in the case of MySQL.
> (Maybe I should use a feature for prepared statements in empire-db which I 
> have not found yet.-)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to