[ic] sql query with UNION broken
Kevin Walsh
kevin at cursor.biz
Mon Aug 25 16:06:28 EDT 2003
Mike Heins [mike at perusion.com] wrote:
> > >
> > > Since whitespace is \W, we can simplify to \W*.
> >
> > That's right! So that makes it a one-character patch. I just committed it.
> >
> We should probably think about security implications of this -- I am not
> sure (SELECT ...) is standard ANSI SQL, and I am not enough of a SQL guru
> to authoritatively speak to it.
>
Parenthesis around the SELECT is valid ANSI SQL, as long as you're
enclosing the statement for a reason. Reasons include sub-selects,
UNION statements and a couple of others. It's only the UNION, as far
as I know, that could require the parenthesis to be placed before the
leading SELECT keyword.
As the \W would prevent SQL keywords (or any words), I don't think
there's need to be concerned about security; the best someone could
do is force a syntax error, which would be trapped by the SQL server's
parser anyway.
I think that it would be very weird for someone to code an SQL statement
to include user-controllable variables prior to the SELECT statement
anyway. If anyone did so, then that could be a security hole in its
own right, but would be one of their own making.
--
_/ _/ _/_/_/_/ _/ _/ _/_/_/ _/ _/
_/_/_/ _/_/ _/ _/ _/ _/_/ _/ K e v i n W a l s h
_/ _/ _/ _/ _/ _/ _/ _/_/ kevin at cursor.biz
_/ _/ _/_/_/_/ _/ _/_/_/ _/ _/
More information about the interchange-users
mailing list