Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for 'for' (loop) command in the SQL parser. #2

Open
aionescu-zz opened this issue Mar 17, 2013 · 6 comments
Open

Support for 'for' (loop) command in the SQL parser. #2

aionescu-zz opened this issue Mar 17, 2013 · 6 comments
Assignees
@takezoe
Labels
feature help wanted mirage module

Comments

@aionescu-zz
Copy link

Please add support for the "for" command in the SQL parser.
E.g. Something like below might be a possibility:

select * from book
/* if $tags !=null AND !$tags.isEmpty() */
    where book.published > 2011
    /* FOR $tag in $tags */
       and  book.tag = /*$tag*/'mirage'
    /*END*/
/*END*/

Of course, one option might be for the above example to use IN with arrays, but because it's bound to only one parameter this is open to SQL Injection, so in this case the Prepared Statement doesn't bring too much advantage and security.
(besides there are many more cases where it's simply not possible to reformulate the statement to make use of IN with arrays).

Thank you very much.
@takezoe
Copy link
Member

takezoe commented Mar 18, 2013

Thanks for your request.

Yes, I understand a necessity for FOR loop. But I have one question in your comment.

it's bound to only one parameter this is open to SQL Injection

What does it mean? I think it's safe to give the array which has one element to IN parameter. Are you describing about other case?

If there are any cases which cause SQL injection with /*var*/ (NOT /*$var*/), it's a bug of Mirage, so I'll fix it as soon as possible.

@aionescu-zz
Copy link
Author

But I have one question in your comment.

it's bound to only one parameter this is open to SQL Injection

What does it mean? I think it's safe to give the array which has one element to IN parameter. Are you describing about other case?

An array with more than one element is the problem.

I think last time I've tried, with a Prepared Statement was possible to bind only one parameter, not a "variable sized one", i.e.

where something IN (?)

So since Mirage allows to "bind an array", it must concatenate the elements, and since it doesn't seems to use
http://code.google.com/p/owasp-esapi-java/ that's probably not SQL injection proof.

@takezoe
Copy link
Member

takezoe commented Mar 18, 2013

a Prepared Statement was possible to bind only one parameter, not a "variable sized one"

Yes, so Mirage expands array binding to the multiple placeholder.

where something IN /*array*/

to

where something IN (?, ?, ...)

See #1 (comment) to know how to bind array as IN parameter in Mirage:

@ghost ghost assigned takezoe Mar 19, 2013
@hansgru
Copy link
Contributor

hansgru commented Aug 4, 2013

Any news on the "loop" command support?

@werne
Copy link

werne commented Apr 17, 2014

I subscribe to @hansgru 's request. A "for" loop would simplify quite a few scenarios.

tnx

@aadrian
Copy link
Member

aadrian commented Dec 27, 2014

+1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@takezoe takezoe

Labels
feature help wanted mirage module
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@aadrian @aionescu-zz @takezoe @hansgru @werne