Re: Results from testing RC2, rev: 5607:5627M
| От | Erwin Brandstetter |
|---|---|
| Тема | Re: Results from testing RC2, rev: 5607:5627M |
| Дата | |
| Msg-id | 4559032A.4020107@falter.at обсуждение исходный текст |
| Ответ на | Results from testing RC2, rev: 5607:5627M (Erwin Brandstetter <brandstetter@falter.at>) |
| Список | pgadmin-support |
Hi developers! Hi Dave! brandstetter@falter.at wrote: > - While experimenting with pasting, I pasted the dummy text 'asdfg' to > an integer column and saved - which produced an error as expected. The > nature of the error was a bit of a surprise though: > > An error has occurred: > FEHLER: Spalte >>asdfg<< existiert nicht. > > Meaning: "Error: Column >>asdfg<< does not exist." > Somehow data is being mistaken for a column name. This could possibly > lead to grave errors. (Or is it the German translation wrong?) > Checking the the log-file reveals the cause: 2006-11-13 21:49:22 CET postgres FEHLER: Spalte »asdfg« existiert nicht 2006-11-13 21:49:22 CET postgres ANWEISUNG: INSERT INTO cp.test(feld_id) VALUES (asdfg::integer) This should read 'asdfg'::integer (with single quotes), as long as you don't make sure the data is numeric in the first place. Could have nasty side-effects otherwise. Home-made 'SQL-injection'? Or is this by design, so you _can_ enter function calls? (But then again, that would not play well with the rest of the application.) Actually, I entered a function call and it was evaluated. Subsequent operations on the new row showed a variety of weird effects. Another sample from the log: Note how the value is being quoted in the WHERE-clause, when trying to change the newly inserted row. Note also, that the WHERE clause is quite nonsensical for a integer column. 2006-11-13 23:59:03 CET postgres ANWEISUNG: SELECT * FROM cp.feld WHERE feld_id = 'cp.f_ausgabe_id()'::integer 2006-11-13 23:59:11 CET postgres FEHLER: ungültige Eingabesyntax für ganze Zahl: »cp.f_ausgabe_id()« 2006-11-13 23:59:11 CET postgres ANWEISUNG: UPDATE cp.feld SET feld_id=NULL::integer WHERE feld_id = 'cp.f_ausgabe_id()'::integer 2006-11-13 23:59x:35 CET postgres FEHLER: duplizierter Schlüssel verletzt Unique-Constraint »feld_pkey« 2006-11-13 23:59:35 CET postgres ANWEISUNG: INSERT INTO cp.feld(feld_id) VALUES (cp.f_ausgabe_id()::integer) 2006-11-13 23:59:55 CET postgres FEHLER: ungültige Eingabesyntax für ganze Zahl: »cp.f_ausgabe_id()« 2006-11-13 23:59:55 CET postgres ANWEISUNG: SELECT * FROM cp.feld WHERE feld_id = 'cp.f_ausgabe_id()'::integer Regards Erwin
В списке pgadmin-support по дате отправления: