GNOME Bugzilla – Bug 168147
Save to database doesn't quote inserts
Last modified: 2008-12-24 15:20:44 UTC
Distribution/Version: FC3 1.Create a new project 2. Create a new task. 3. Edit tha task and in the notes section put this'll mess it up 4 close the task and attempt to save to database, planner will fail (no error messages on the desktop) with the following error on the command line [iainr@eagle bugzilla2planner]$ planner ** (planner:10738): WARNING **: INSERT command failed (task) ERROR: syntax error at or near "ll" at character 204 . ** (planner:10738): WARNING **: Couldn't write tasks. and from the postgres log file we get: LOG: statement: UPDATE project SET cal_id=40 WHERE proj_id=62 LOG: statement: UPDATE project SET default_group_id=NULL WHERE proj_id=62 LOG: statement: INSERT INTO task(proj_id, parent_id, name, note, start, finish, work, duration, percent_complete, is_milestone, is_fixed_work, constraint_type, constraint_time, priority) VALUES(62, NULL, 'thing', 'this'll mess it up', '2005-02-22 00:00:00+0', '2005-02-22 17:00:00+0', 28800, 28800, 0, false, true, 'ASAP', NULL, 0) ERROR: syntax error at or near "ll" at character 204 LOG: statement: COMMIT The code inserting the row is treating the apostrophe in the text as a ' character in the SQL, it needs to be quoted somehow.
Seems that there is fundamental bug in code. There should be use of bind variables, instead of injecting values to insert-clause (by using sprintf or similiar), it will fix this issue. This is also a security issue called "SQL injection".
Reading some blogs, it seems the GdaParameterList is not used and being planned for removal from libgda, so that's not an option.
*** Bug 318471 has been marked as a duplicate of this bug. ***
Given how this is indicated ans an SQL Injection security issue, it would be desirable to fix this ASAP.
hi, i am using 0.14.2 and this bug isn't fixed yet. would it be fixed in the future? regards. stefan
Hi, I'm adopting the Debian package for planner, and I'd like to know whether this bug is going to be fixed any soon. Thanks, David
It might be a good idea to sync with the 0.14.3-2 package that is currently in Debian/unstable, before you actually adopt the package.
Hi Martin, I'm already using Debian sid/experimental, thus planner is at 0.14.3-2. I was just reviewing the BTS page of planner, and I posted that comment just to hear^Wread something from upstream about this bug.
I'll look into this, but don't let that stop you from submitting a patch =)
Created attachment 110193 [details] [review] Patch that escapes and quotes all strings in SQL statements I would appreciate it if someone can review this patch in detail. I tried to make sure I got all possible places where SQL could be injected.
I solved it slightly differently in the current development version. Support for libgda versions older than 3.0 has been dropped in the process. Bind variables are still not fully supported in 3.0, so that'll have to wait until we support 4.0.