开发者

MySql Stored Procedures Parameter Escaping

开发者 https://www.devze.com 2022-12-09 09:35 出处:网络
I came across something odd that I feel is to blatant to be a bug so I am guessing that I am doing something wrong: I have the following Table:

I came across something odd that I feel is to blatant to be a bug so I am guessing that I am doing something wrong: I have the following Table:

CREATE TABLE BlurbTest
(   
     ID      SERIAL NOT NULL
    ,Blurb   TEXT NOT NULL
);

With the following stored proc:

DELIMITER $$

CREATE PROCEDURE spInsertBlurbTest
(
     OUT ID INT
    ,IN  BlurbParm TEXT
)
BEGIN
    INSERT INTO BlurbTest(
        Blurb
    ) VALUES (
        BlurbParm
    );
    SET ID = LAST_INSERT_ID();
END$$

DELIMITER ;

and the following C# code:

using (var conn = new MySqlConnection(Settings.ConnectionString))
{
    conn.Open();
    using (var cmd = conn.CreateCommand())
    {
        cmd.CommandText = "spInsertBlurbTest";
        cmd.CommandType = CommandType.StoredProcedure;
        MySqlCommandBuilder.DeriveParameters(cmd);
        cmd.Parameters["@BlurbParm"].Value = "let's do it";
        cmd.ExecuteNonQuery(); // Throws Exception
    }
}

Which is throwing an excep开发者_如何学Pythontion with the following message. {"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's do it')' at line 1"}

Now, correct me if I am wrong, but is this not exactly the type of problem that stored procedures and parameters are intended to solve in order to aid against injection attacks?

Or am I doing something wrong here?


You're right, but the driver may not be correctly escaping these characters. Is this yours?

http://bugs.mysql.com/bug.php?id=48247

0

精彩评论

暂无评论...
验证码 换一张
取 消