| From: | Paolo Predonzani <paolo(dot)predonzani(at)gmail(dot)com> |
|---|---|
| To: | pgsql-jdbc(at)postgresql(dot)org |
| Subject: | escapeQuotes causes faults in DatabaseMataData |
| Date: | 2006-02-03 16:54:41 |
| Message-ID: | 1138985682.7276.24.camel@localhost.localdomain |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
Hi everybody!
There is a particular type of input that causes trouble when calling
DatabaseMetaData's methods such as getTables(), ecc.
The input I'm talking about are strings containing backslash characters
in situations like the following:
dbmd.getTables(null, null, "my\\table", types);
The result is generally a wrong answer from the getTables method or, in
the worst situation where the backslash is the last character, a
PSQLException.
Some sample code:
public void testPostgresQuote() throws Exception {
System.out.println("testPostgresQuote:");
Connection conn = null;
try {
String[] types = {"TABLE"};
conn = ConnectionFactory.getConnection();
DatabaseMetaData dbmd = conn.getMetaData();
dbmd.getTables(null, null, "\\", types);
} finally {
if (conn != null) {
try {conn.close();} catch (Exception e2) {}
}
}
}
this causes a nasty exception (and opens a possibility for SQL
injection?):
ERROR: unterminated quoted string at or near "'\' AND (false ) ORDER
BY TABLE_TYPE,TABLE_SCHEM,TABLE_NAME "
org.postgresql.util.PSQLException: ERROR: unterminated quoted string at
or near "'\' AND (false ) ORDER BY TABLE_TYPE,TABLE_SCHEM,TABLE_NAME "
at
org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:1512)
at
org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1297)
at
org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:188)
at
org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:430)
at
org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJdbc2Statement.java:332)
at
org.postgresql.jdbc2.AbstractJdbc2Statement.executeQuery(AbstractJdbc2Statement.java:231)
at
org.postgresql.jdbc2.AbstractJdbc2DatabaseMetaData.getTables(AbstractJdbc2DatabaseMetaData.java:2190)
I've looked at the source code for postgresql-jdbc-8.1-404 and the
trouble seems to come from the escapeQuotes function in
AbstractJdbc2DatabaseMetaData.java
protected static String escapeQuotes(String s) {
StringBuffer sb = new StringBuffer();
int length = s.length();
char prevChar = ' ';
char prevPrevChar = ' ';
for (int i = 0; i < length; i++)
{
char c = s.charAt(i);
sb.append(c);
if (c == '\'' && (prevChar != '\\' || (prevChar == '\\' &&
prevPrevChar == '\\')))
{
sb.append("'");
}
prevPrevChar = prevChar;
prevChar = c;
}
return sb.toString();
}
I believe escapeQuotes only checks for single quotes, and does nothing
to backslashes.
My temporary solution has been to patch escapeQuotes as follows:
protected static String escapeQuotes(String s) {
StringBuffer sb = new StringBuffer();
int length = s.length();
char prevChar = ' ';
char prevPrevChar = ' ';
for (int i = 0; i < length; i++)
{
char c = s.charAt(i);
if ( c == '\\' || c == '\'' )
sb.append('\\');
sb.append(c);
}
return sb.toString();
}
... which seems to work.
Regards
Paolo
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Trevor Baker | 2006-02-03 18:56:23 | why setFloat() changed to Oid.FLOAT8? |
| Previous Message | Markus Schaber | 2006-02-03 08:40:37 | Re: JDBC keygen select |