mirage icon indicating copy to clipboard operation
mirage copied to clipboard

Published 20 hours ago verified publisher icon mirage-sql

Support for 'for' (loop) command in the SQL parser.

Open aionescu-zz opened this issue 12 years ago • 6 comments

Please add support for the "for" command in the SQL parser. E.g. Something like below might be a possibility:

select * from book
/* if $tags !=null AND !$tags.isEmpty() */
    where book.published > 2011
    /* FOR $tag in $tags */
       and  book.tag = /*$tag*/'mirage'
    /*END*/
/*END*/

Of course, one option might be for the above example to use IN with arrays, but because it's bound to only one parameter this is open to SQL Injection, so in this case the Prepared Statement doesn't bring too much advantage and security. (besides there are many more cases where it's simply not possible to reformulate the statement to make use of IN with arrays).

Thank you very much.

aionescu-zz avatar Mar 17 '13 11:03 aionescu-zz

Thanks for your request.

Yes, I understand a necessity for FOR loop. But I have one question in your comment.

it's bound to only one parameter this is open to SQL Injection

What does it mean? I think it's safe to give the array which has one element to IN parameter. Are you describing about other case?

If there are any cases which cause SQL injection with /*var*/ (NOT /*$var*/), it's a bug of Mirage, so I'll fix it as soon as possible.

takezoe avatar Mar 18 '13 16:03 takezoe

But I have one question in your comment.

it's bound to only one parameter this is open to SQL Injection

What does it mean? I think it's safe to give the array which has one element to IN parameter. Are you describing about other case?

An array with more than one element is the problem.

I think last time I've tried, with a Prepared Statement was possible to bind only one parameter, not a "variable sized one", i.e.

where something IN (?)

So since Mirage allows to "bind an array", it must concatenate the elements, and since it doesn't seems to use http://code.google.com/p/owasp-esapi-java/ that's probably not SQL injection proof.

aionescu-zz avatar Mar 18 '13 20:03 aionescu-zz

a Prepared Statement was possible to bind only one parameter, not a "variable sized one"

Yes, so Mirage expands array binding to the multiple placeholder.

where something IN /*array*/

to

where something IN (?, ?, ...)

See https://github.com/takezoe/mirage/issues/1#issuecomment-14438381 to know how to bind array as IN parameter in Mirage:

takezoe avatar Mar 18 '13 23:03 takezoe

Any news on the "loop" command support?

hansgru avatar Aug 04 '13 14:08 hansgru

I subscribe to @hansgru 's request. A "for" loop would simplify quite a few scenarios.

tnx

werne avatar Apr 17 '14 21:04 werne

+1

aadrian avatar Dec 27 '14 09:12 aadrian