pass variable contains null character to postgres may cause SQL error
Imported from http://bugzilla.roxen.com/bugzilla/show_bug.cgi?id=4651
Reported by Eiichiro ITANI, firstname.lastname@example.org
I'm not sure this is bug, or wrong usage of tag. It cause SQL error to throw query postgres with array variable.
Suppose test.html contains these lines.
<emit source="sql" host="postgres-server" query="SELECT :v AS v" bindings="v=form.v"> &_.v; </emit>
RXML run error: Query failed: ERROR: unterminated quoted string at or near "'1" LINE 1: SELECT '1 ^
That error happened because null character directry passed to postgres server. Of course, I should check and sanitize form.v to be plain string.
And I also noticed, accessing
this would make reply just "abc". I checked query log of postgres, and found that query as follows:
BEGIN DECLARE _pikecursor CURSOR FOR SELECT 'abc' as v FETCH 64 IN _pikecursor FETCH 64 IN _pikecursor COMMIT
Characters after null chopped.
Aren't they quoting problem of postgresql binding?