Re: Results from testing RC2, rev: 5607:5627M - Mailing list pgadmin-support

From Erwin Brandstetter
Subject Re: Results from testing RC2, rev: 5607:5627M
Date
Msg-id 4559032A.4020107@falter.at
Whole thread Raw
In response to Results from testing RC2, rev: 5607:5627M  (Erwin Brandstetter <brandstetter@falter.at>)
List pgadmin-support
Hi developers! Hi Dave!

brandstetter@falter.at wrote:
> - While experimenting with pasting, I pasted the dummy text 'asdfg' to 
> an integer column and saved - which produced an error as expected. The 
> nature of the error was a bit of a surprise though:
>
>    An error has occurred:
>    FEHLER: Spalte >>asdfg<< existiert nicht.
>
> Meaning: "Error: Column >>asdfg<< does not exist."
> Somehow data is being mistaken for a column name. This could possibly 
> lead to grave errors. (Or is it the German translation wrong?)
>
Checking the the log-file reveals the cause:

2006-11-13 21:49:22 CET postgres FEHLER:  Spalte »asdfg« existiert nicht
2006-11-13 21:49:22 CET postgres ANWEISUNG:  INSERT INTO 
cp.test(feld_id) VALUES (asdfg::integer)

This should read 'asdfg'::integer (with single quotes), as long as you 
don't make sure the data is numeric in the first place.
Could have nasty side-effects otherwise. Home-made 'SQL-injection'? Or 
is this by design, so you _can_ enter function calls?
(But then again, that would not play well with the rest of the application.)

Actually, I entered a function call and it was evaluated. Subsequent 
operations on the new row showed a variety of weird effects.
Another sample from the log:
Note how the value is being quoted in the WHERE-clause, when trying to 
change the newly inserted row. Note also, that the WHERE clause is quite 
nonsensical for a integer column.

2006-11-13 23:59:03 CET postgres ANWEISUNG:  SELECT * FROM cp.feld WHERE 
feld_id = 'cp.f_ausgabe_id()'::integer
2006-11-13 23:59:11 CET postgres FEHLER:  ungültige Eingabesyntax für 
ganze Zahl: »cp.f_ausgabe_id()«
2006-11-13 23:59:11 CET postgres ANWEISUNG:  UPDATE cp.feld SET 
feld_id=NULL::integer WHERE feld_id = 'cp.f_ausgabe_id()'::integer
2006-11-13 23:59x:35 CET postgres FEHLER:  duplizierter Schlüssel 
verletzt Unique-Constraint »feld_pkey«
2006-11-13 23:59:35 CET postgres ANWEISUNG:  INSERT INTO 
cp.feld(feld_id) VALUES (cp.f_ausgabe_id()::integer)
2006-11-13 23:59:55 CET postgres FEHLER:  ungültige Eingabesyntax für 
ganze Zahl: »cp.f_ausgabe_id()«
2006-11-13 23:59:55 CET postgres ANWEISUNG:  SELECT * FROM cp.feld WHERE 
feld_id = 'cp.f_ausgabe_id()'::integer


Regards
Erwin


pgadmin-support by date:

Previous
From: Erwin Brandstetter
Date:
Subject: Re: Results from testing RC2, rev: 5607:5627M
Next
From: Dave Page
Date:
Subject: Re: Results from testing RC2, rev: 5607:5627M