| From: | Erwin Brandstetter <brandstetter(at)falter(dot)at> |
|---|---|
| To: | pgadmin-support(at)postgresql(dot)org |
| Subject: | Re: Results from testing RC2, rev: 5607:5627M |
| Date: | 2006-11-13 23:43:38 |
| Message-ID: | 4559032A.4020107@falter.at |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgadmin-support |
Hi developers! Hi Dave!
brandstetter(at)falter(dot)at wrote:
> - While experimenting with pasting, I pasted the dummy text 'asdfg' to
> an integer column and saved - which produced an error as expected. The
> nature of the error was a bit of a surprise though:
>
> An error has occurred:
> FEHLER: Spalte >>asdfg<< existiert nicht.
>
> Meaning: "Error: Column >>asdfg<< does not exist."
> Somehow data is being mistaken for a column name. This could possibly
> lead to grave errors. (Or is it the German translation wrong?)
>
Checking the the log-file reveals the cause:
2006-11-13 21:49:22 CET postgres FEHLER: Spalte »asdfg« existiert nicht
2006-11-13 21:49:22 CET postgres ANWEISUNG: INSERT INTO
cp.test(feld_id) VALUES (asdfg::integer)
This should read 'asdfg'::integer (with single quotes), as long as you
don't make sure the data is numeric in the first place.
Could have nasty side-effects otherwise. Home-made 'SQL-injection'? Or
is this by design, so you _can_ enter function calls?
(But then again, that would not play well with the rest of the application.)
Actually, I entered a function call and it was evaluated. Subsequent
operations on the new row showed a variety of weird effects.
Another sample from the log:
Note how the value is being quoted in the WHERE-clause, when trying to
change the newly inserted row. Note also, that the WHERE clause is quite
nonsensical for a integer column.
2006-11-13 23:59:03 CET postgres ANWEISUNG: SELECT * FROM cp.feld WHERE
feld_id = 'cp.f_ausgabe_id()'::integer
2006-11-13 23:59:11 CET postgres FEHLER: ungültige Eingabesyntax für
ganze Zahl: »cp.f_ausgabe_id()«
2006-11-13 23:59:11 CET postgres ANWEISUNG: UPDATE cp.feld SET
feld_id=NULL::integer WHERE feld_id = 'cp.f_ausgabe_id()'::integer
2006-11-13 23:59x:35 CET postgres FEHLER: duplizierter Schlüssel
verletzt Unique-Constraint »feld_pkey«
2006-11-13 23:59:35 CET postgres ANWEISUNG: INSERT INTO
cp.feld(feld_id) VALUES (cp.f_ausgabe_id()::integer)
2006-11-13 23:59:55 CET postgres FEHLER: ungültige Eingabesyntax für
ganze Zahl: »cp.f_ausgabe_id()«
2006-11-13 23:59:55 CET postgres ANWEISUNG: SELECT * FROM cp.feld WHERE
feld_id = 'cp.f_ausgabe_id()'::integer
Regards
Erwin
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dave Page | 2006-11-14 09:44:30 | Re: Results from testing RC2, rev: 5607:5627M |
| Previous Message | Erwin Brandstetter | 2006-11-13 22:11:16 | Re: Results from testing RC2, rev: 5607:5627M |