Re: [pgadmin-support] Results from testing RC2, rev: 5607:5627M

Mon, 13 Nov 2006 15:44:05 -0800 

Hi developers! Hi Dave!

[EMAIL PROTECTED] wrote:
- While experimenting with pasting, I pasted the dummy text 'asdfg' to an integer column and saved - which produced an error as expected. The nature of the error was a bit of a surprise though: 

   An error has occurred:
   FEHLER: Spalte >>asdfg<< existiert nicht.

Meaning: "Error: Column >>asdfg<< does not exist."

Somehow data is being mistaken for a column name. This could possibly 
lead to grave errors. (Or is it the German translation wrong?)



Checking the the log-file reveals the cause:

2006-11-13 21:49:22 CET postgres FEHLER:  Spalte »asdfg« existiert nicht

2006-11-13 21:49:22 CET postgres ANWEISUNG:  INSERT INTO 
cp.test(feld_id) VALUES (asdfg::integer)



This should read 'asdfg'::integer (with single quotes), as long as you 
don't make sure the data is numeric in the first place.
Could have nasty side-effects otherwise. Home-made 'SQL-injection'? Or 
is this by design, so you _can_ enter function calls?

(But then again, that would not play well with the rest of the application.)


Actually, I entered a function call and it was evaluated. Subsequent 
operations on the new row showed a variety of weird effects.

Another sample from the log:

Note how the value is being quoted in the WHERE-clause, when trying to 
change the newly inserted row. Note also, that the WHERE clause is quite 
nonsensical for a integer column.



2006-11-13 23:59:03 CET postgres ANWEISUNG:  SELECT * FROM cp.feld WHERE 
feld_id = 'cp.f_ausgabe_id()'::integer
2006-11-13 23:59:11 CET postgres FEHLER:  ungültige Eingabesyntax für 
ganze Zahl: »cp.f_ausgabe_id()«
2006-11-13 23:59:11 CET postgres ANWEISUNG:  UPDATE cp.feld SET 
feld_id=NULL::integer WHERE feld_id = 'cp.f_ausgabe_id()'::integer
2006-11-13 23:59x:35 CET postgres FEHLER:  duplizierter Schlüssel 
verletzt Unique-Constraint »feld_pkey«
2006-11-13 23:59:35 CET postgres ANWEISUNG:  INSERT INTO 
cp.feld(feld_id) VALUES (cp.f_ausgabe_id()::integer)
2006-11-13 23:59:55 CET postgres FEHLER:  ungültige Eingabesyntax für 
ganze Zahl: »cp.f_ausgabe_id()«
2006-11-13 23:59:55 CET postgres ANWEISUNG:  SELECT * FROM cp.feld WHERE 
feld_id = 'cp.f_ausgabe_id()'::integer



Regards
Erwin

---------------------------(end of broadcast)---------------------------
TIP 9: In versions below 8.0, the planner will ignore your desire to
      choose an index scan if your joining column's datatypes do not
      match






















					Reply via email to