From: Ludovic Brenta <ludovic@ludovic-brenta.org>
Subject: Re: Possible "bug" found in gnatcoll-sql_impl.adb
Date: Fri, 25 Feb 2011 06:44:46 -0800 (PST)
Date: 2011-02-25T06:44:46-08:00 [thread overview]
Message-ID: <c09011b3-204f-441f-b575-f5403f0fd6a4@v31g2000vbs.googlegroups.com> (raw)
In-Reply-To: 4d67b8af$0$23765$14726298@news.sunsite.dk
Thomas Løcke wrote on comp.lang.ada:
> The GNATCOLL.SQL_Impl.String_To_SQL function has this in it:
As the name of the function suggests, this converts a string to an SQL
statement (also a string).
Your problem happens not in SQL statements but in bound parameters.
For a bound parameter, it is incorrect to call String_To_SQL because
the value of the bound parameter does not need to be in SQL syntax.
> This is where the extra single quotes are added, and for SQL WHERE
> string criterias this is a good thing.
Only if you do not use bound parameters in your WHERE clauses.
> It simply means that you can do
>
> Billy : constant String := "Billy";
> Q : constant SQL_Query := SQL_Select
> (Fields => Tmp.Id & Tmp.Name,
> From => Tmp,
> Where => Tmp.Name = Billy);
>
> and not have to worry about adding the single quotes manually to your
> string.
Right but this produces the legal SQL statement:
SELECT id, name FROM tmp WHERE name = 'Billy'
as opposed to the prepared statement:
SELECT id, name FROM tmp WHERE name = ?
In a prepared statement, you can bind the value Billy (without any
quotes) to the parameter. BTW, this also applies to the LIKE
operator, in which the value of the parameter can contain % signs that
are wildcards for "zero or more characters".
> Perhaps there's a hidden function somewhere in GNATColl that alleviates
> this annoying issue, but if that is the case, then I haven't been able
> to find it.
>
> Am I really the only one experiencing this? Or do GNATColl users in
> general not care about those extra single quotes added to their string
> data?
It seems GNATColl has a bug whereby it incorrectly converts the value
of bound parameters to SQL, when it should not.
> I'd very much like to help fix this, but GNATColl is a rather large and
> intimidating beast, so I'd rather not dig in too deep if it turns out
> I've just overlooked some brilliant piece of design that fixes all this.
Use prepared statements and bound parameters. Always. This avoids
nasty issues such as quoting, protection against SQL injection
attacks, etc.
--
Ludovic Brenta.
next prev parent reply other threads:[~2011-02-25 14:44 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-23 11:58 GNATcoll and parameterized queries have me confused Thomas Løcke
2011-02-23 12:32 ` Thomas Løcke
2011-02-25 14:11 ` Possible "bug" found in gnatcoll-sql_impl.adb Thomas Løcke
2011-02-25 14:44 ` Ludovic Brenta [this message]
2011-02-25 14:53 ` Thomas Løcke
2011-02-28 11:17 ` Ludovic Brenta
2011-02-28 14:04 ` Emmanuel Briot
2011-03-01 8:03 ` Thomas Løcke
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox