I came across something odd that I feel is to blatant to be a bug so I am guessing that I am doing something wrong: I have the following Table:
CREATE TABLE BlurbTest
(
ID SERIAL NOT NULL
,Blurb TEXT NOT NULL
);
With the following stored proc:
DELIMITER $$
CREATE PROCEDURE spInsertBlurbTest
(
OUT ID INT
,IN BlurbParm TEXT
)
BEGIN
INSERT INTO BlurbTest(
Blurb
) VALUES (
BlurbParm
);
SET ID = LAST_INSERT_ID();
END$$
DELIMITER ;
and the following C# code:
using (var conn = new MySqlConnection(Settings.ConnectionString))
{
conn.Open();
using (var cmd = conn.CreateCommand())
{
cmd.CommandText = "spInsertBlurbTest";
cmd.CommandType = CommandType.StoredProcedure;
MySqlCommandBuilder.DeriveParameters(cmd);
cmd.Parameters["@BlurbParm"].Value = "let's do it";
cmd.ExecuteNonQuery(); // Throws Exception
}
}
Which is throwing an excep开发者_如何学Pythontion with the following message. {"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's do it')' at line 1"}
Now, correct me if I am wrong, but is this not exactly the type of problem that stored procedures and parameters are intended to solve in order to aid against injection attacks?
Or am I doing something wrong here?
You're right, but the driver may not be correctly escaping these characters. Is this yours?
http://bugs.mysql.com/bug.php?id=48247
精彩评论