Hi developers! Hi Dave!
brandstetter@falter.at wrote:
> - While experimenting with pasting, I pasted the dummy text 'asdfg' to
> an integer column and saved - which produced an error as expected. The
> nature of the error was a bit of a surprise though:
>
> An error has occurred:
> FEHLER: Spalte >>asdfg<< existiert nicht.
>
> Meaning: "Error: Column >>asdfg<< does not exist."
> Somehow data is being mistaken for a column name. This could possibly
> lead to grave errors. (Or is it the German translation wrong?)
>
Checking the the log-file reveals the cause:
2006-11-13 21:49:22 CET postgres FEHLER: Spalte »asdfg« existiert nicht
2006-11-13 21:49:22 CET postgres ANWEISUNG: INSERT INTO
cp.test(feld_id) VALUES (asdfg::integer)
This should read 'asdfg'::integer (with single quotes), as long as you
don't make sure the data is numeric in the first place.
Could have nasty side-effects otherwise. Home-made 'SQL-injection'? Or
is this by design, so you _can_ enter function calls?
(But then again, that would not play well with the rest of the application.)
Actually, I entered a function call and it was evaluated. Subsequent
operations on the new row showed a variety of weird effects.
Another sample from the log:
Note how the value is being quoted in the WHERE-clause, when trying to
change the newly inserted row. Note also, that the WHERE clause is quite
nonsensical for a integer column.
2006-11-13 23:59:03 CET postgres ANWEISUNG: SELECT * FROM cp.feld WHERE
feld_id = 'cp.f_ausgabe_id()'::integer
2006-11-13 23:59:11 CET postgres FEHLER: ungültige Eingabesyntax für
ganze Zahl: »cp.f_ausgabe_id()«
2006-11-13 23:59:11 CET postgres ANWEISUNG: UPDATE cp.feld SET
feld_id=NULL::integer WHERE feld_id = 'cp.f_ausgabe_id()'::integer
2006-11-13 23:59x:35 CET postgres FEHLER: duplizierter Schlüssel
verletzt Unique-Constraint »feld_pkey«
2006-11-13 23:59:35 CET postgres ANWEISUNG: INSERT INTO
cp.feld(feld_id) VALUES (cp.f_ausgabe_id()::integer)
2006-11-13 23:59:55 CET postgres FEHLER: ungültige Eingabesyntax für
ganze Zahl: »cp.f_ausgabe_id()«
2006-11-13 23:59:55 CET postgres ANWEISUNG: SELECT * FROM cp.feld WHERE
feld_id = 'cp.f_ausgabe_id()'::integer
Regards
Erwin