Project

General

Profile

Actions

Bug #655

closed

Wt::Dbo query parser: handle multi-byte UTF-8 characters

Added by Koen Deforche over 13 years ago. Updated about 13 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
12/23/2010
Due date:
% Done:

0%

Estimated time:

Description

Currently, it appears that the query parser chokes on a query like:

select count(*) from user where name = "绠$悊鍛?"

Actions #1

Updated by Momo LALMI about 13 years ago

it is easy to handle this, if you are looking for user name "绠$悊鍛?" you will perhaps use a WLineEdit where the user will input "绠$悊鍛?"

after that you can just do the following :

std::string query = "select count(*) from user where name = '" + myLineEdit->text().toUTF8() + "'" ;

Actions #2

Updated by Koen Deforche about 13 years ago

Hey Mohammed,

Perhaps we should not fix this.

The example you give is a indeed a good example when you would hit this behavior, but it is at the same time also an example of an SQL Injection vector (which could be used by a malicious user to execute random statements on your database).

You really need to use bound parameters to safely pass user content in a query:

std::string query = "select count(*) from user where name = ?"

And subsequently bind the value. This is also potentially more efficient because the database will reuse the same prepared statement and execution strategy for the query.

Regards,

koen

Actions #3

Updated by Momo LALMI about 13 years ago

Hi koen,

it might be useful to write a simple example ( 3 - 4 lines of code ) to explain how to handle a WString in UTF-8 and how to bind the value :)

humm, I have to update my code to avoid SQL injection attacks ....

Regards

Mohamed

Actions #4

Updated by Koen Deforche about 13 years ago

  • Status changed from New to Resolved

Hey Mohammed,

I am going to update the query()/find() documentation to point to parameter binding in general, and add a note about UTF-8 !

Regards,

koen

Actions #5

Updated by Koen Deforche about 13 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF