Skip to content
GitLab
Closed
Created by Peter Bortas@zinoOwner

pass variable contains null character to postgres may cause SQL error

Imported from http://bugzilla.roxen.com/bugzilla/show_bug.cgi?id=4651

Reported by Eiichiro ITANI, emu@ceres.dti.ne.jp

I'm not sure this is bug, or wrong usage of tag. It cause SQL error to throw query postgres with array variable.

Suppose test.html contains these lines.

<emit source="sql" host="postgres-server"
  query="SELECT :v AS v" bindings="v=form.v">
  &_.v;
</emit>

Then, accessing

http://host/test.html?v=1&v=2

causes error

RXML run error: Query failed: ERROR: unterminated quoted string at or near "'1" LINE 1: SELECT '1 ^

|

That error happened because null character directry passed to postgres server. Of course, I should check and sanitize form.v to be plain string.

And I also noticed, accessing

http://host/test.html?v=abc%00def

this would make reply just "abc". I checked query log of postgres, and found that query as follows:

BEGIN DECLARE _pikecursor CURSOR FOR SELECT 'abc' as v FETCH 64 IN _pikecursor FETCH 64 IN _pikecursor COMMIT

Characters after null chopped.

Aren't they quoting problem of postgresql binding?