Closed schumannd closed 8 years ago
maxtepkeev
commented
8 years ago So basically, you're proposing to remove everything except letters. I don't think this is a good idea, because I may want to use any characters in my strings and this is a perfectly legal use case.
Also, can you suggest an example that will break this function ?
schumannd
commented
8 years ago You are right, this solution was tailored to my specific usecase.
IIRC the following was the problem when using certain special chars like ';':
"match := LOWER(SUBSTRING(NEW.{{column}} FROM '.{{{{{constraint}}}}}$'));", "tablename := '{{parenttable}}' || match;"
Match is then used in the CHECK constraint without any enclosing quotes. (l. 47, l. 233/255)
maxtepkeev
commented
8 years ago I was able to reproduce it, the fix will be introduced in the next version. Thanks for your time and help.
maxtepkeev
commented
8 years ago Fixed in v0.5.2
SUBSTR(LOWER(NEW.<column_name>), 1, <n>)is used in the trigger function. If the column value contains special characters it breaks. And if you chose n large enough SQL injections become possible. We fixed this using:SUBSTR(LOWER(regexp_replace(NEW.<column_name>, '[^a-zA-Z]', '', 'g')), 1, <n>);Which makes everything much more stable