PreparedFilterToSql does not turn primary key values into placehoders
---------------------------------------------------------------------
Key: GEOT-2017
URL: http://jira.codehaus.org/browse/GEOT-2017
Project: GeoTools
Issue Type: Bug
Reporter: Andrea Aime
Fix For: 2.5.0, 2.6-M0
Running the Oracle tests with logging enabled I noticed the following two
statements:
SELECT FID,ID,GEOM as GEOM,NAME FROM ROAD WHERE (FID = '0')
DELETE FROM ROAD WHERE (FID = '0')
It seems pk components are not turned into literals, allowing for sql injection
attacks. Moreover, FID is a number, 0 should not be escaped with '... thought
that might prevent light sql injection attacks and does not seem to hurt
(Oracle is probably casting that to int before doing the comparison).
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Geotools-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geotools-devel
