On Tue, Oct 7, 2014 at 11:23 PM, Lukas Eder <[email protected]> wrote:
> > > 2014-10-07 19:49 GMT+02:00 Alok Menghrajani <[email protected]>: > >> > It looks like the setting is only exposed if it is active. The variable >> can >> > be obtained from SHOW VARIABLES LIKE 'sql_mode', or via SELECT >> > @@SESSION.sql_mode FROM DUAL. I suspect that if we support an AUTO >> mode, we >> > would need to check this flag prior to query execution (lazily, only the >> > first time we actually encounter an inlined string variable). >> >> batch queries also end up needing this. Do you know what other queries >> or features indirectly inline? >> > > I'm not sure what you mean...? How do batch queries need this? > > Sorry, I wasn't very clear. Given the following table: create table jooqtest(title varchar(255), primary key(title)); insert into jooqtest (title) values ("hello"),("world"),("foo"),("bar"); And a batch query: create.batch( create.update(table("jooqtest")).set(field("title"), value("aaa")).where(field("title").eq("something\\' or 1=1 ORDER BY title DESC LIMIT 1-- ")), create.update(table("jooqtest")).set(field("title"), value("bbb")).where(field("title").eq("whatever"))) .execute(); In theory, the batch query shouldn't do anything. However, the batch request is prone to SQLi and one of the rows (in this case "hello" which is the first row) gets overwritten with "aaa". I'm assuming the batch feature internally calls inline. My question was: are there other types of queries or other jOOQ features which call inline? Yes, this is why we usually keep a section for incompatible changes in the > release notes. This change will not be shipped with patch releases, only > with a minor release. > > From how I've perceived the discussion between Morgan Tocker and Bill > Karwin (on the previously linked blog article by Morgan), I suspect that > few people actually turned that flag on. So the risk / benefit ratio is > probably in favour of breaking compatibility this time - in particular > given that the setNString() method that you've pointed out to me also > assumes that the flag is not set. > :) for favoring security over backwards compatibility! -- You received this message because you are subscribed to the Google Groups "jOOQ User Group" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
