Heikki Linnakangas wrote:
> >I have had a quick look over the change and it looks ok to me. Something of a clean up and simplification as well.
> >If I understand it correctly, the only things that don't get quoted are SQL_INTEGER and SQL_SMALLINT that pass the
newvalid_int_literal() test.
> >The only thing I can see that could pass that test and not be a valid integer would be a single minus char i.e. "-"
> >not sure if there is anyway that could be vulnerable though.
>
> Ah, good catch. That is definitely a problem. Consider:
>
> SELECT * FROM foo WHERE 1-? > 0
>
> If you replace ? with -, it becomes "--", which comments out the rest of the
> query. That's actually a problem with any negative number.
>
> It would be tempting to just always quote the value, but that again would
> lead to subtle changes in the datatype that the server chooses.
Maybe you can "quote" it with whitespace, so that it becomes
SELECT * FROM foo WHERE 1- -1 > 0
which is no longer a comment and has no other side effect.
--
Álvaro Herrera http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
