#7496 closed defect (fixed)
SQL error on Trac 0.12
| Reported by: | Daniel Westermann-Clark | Owned by: | Ryan J Ollos |
|---|---|---|---|
| Priority: | normal | Component: | TicketMoverPlugin |
| Severity: | normal | Keywords: | |
| Cc: | Jun Omae, Steffen Hoffmann | Trac Release: | 0.12 |
Description (last modified by )
On Trac 0.12, an error results when moving a ticket:
ProgrammingError: operator does not exist: text = integer LINE 1: SELECT * FROM attachment WHERE id=17 ^ HINT: No operator matches the given name and argument type(s). You might need to add explicit type casts.
This occurs on PostgreSQL databases, at least, due to its use of strict type checking.
A simple fix is to quote the value in the SQL statement. This works on PostgreSQL and SQLite databases.
-
0.11/ticketmoverplugin/ticketmover.py
188 188 189 189 # copy the changelog and attachment DBs 190 190 for table, _id in tables.items(): 191 for row in get_all_dict(self.env, "SELECT * FROM %s WHERE %s =%s" % (table, _id, ticket_id)):191 for row in get_all_dict(self.env, "SELECT * FROM %s WHERE %s = '%s'" % (table, _id, ticket_id)): 192 192 row[_id] = new_ticket.id 193 193 insert_row_from_dict(env, table, row) 194 194
Attachments (0)
Change History (7)
comment:1 Changed 12 years ago by
comment:2 follow-up: 7 Changed 12 years ago by
In case it's helpful, here is a more permanent link to the referenced patch:
comment:3 Changed 12 years ago by
| Cc: | Jun Omae added; anonymous removed |
|---|---|
| Owner: | changed from Jeff Hammel to Ryan J Ollos |
| Status: | new → assigned |
Thanks, I'll take care of this if no one beats me to it.
comment:4 Changed 12 years ago by
| Cc: | Steffen Hoffmann added |
|---|
I have a slightly different patch that seems to fix the reported issue, and might also fix another issue.
- I think that we should not be using string formatting for
ticket_idsince the value comes from the request, and therefore doing so opens up the possibility for SQL injection. Replace,with,get_all_dict(self.env, "SELECT * FROM %s WHERE %s=%s" % (table, _id, ticket_id))
get_all_dict(self.env, "SELECT * FROM %s WHERE %s=%%s" % (table, _id), str(ticket_id))
- In the aforementioned query,
(table, _id)takes on the values('attachment', 'id'), which is aTEXTfield, and('ticket_change', 'ticket'), which is anINTEGERfield (t:TracDev/DatabaseSchema#DatabaseSchema0.11). Given that the change shown above fixes this issue but results in a cast ofticket_idto a string for both fields, I have to assume that PostgreSQL allows an implicit cast of a string to an integer, but not an integer to a string.
comment:5 follow-up: 6 Changed 12 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
comment:6 Changed 12 years ago by
Replying to rjollos:
Prevent possibility of SQL injection since
ticket_idcomes from the request.
+1, better indeed. Definitely the way to go.
comment:7 Changed 12 years ago by
| Description: | modified (diff) |
|---|
Replying to dwc:
In case it's helpful, here is a more permanent link to the referenced patch:
Thanks for taking care. But the most "permanent" way to provide the patch, would have been to attach a patch file to this ticket, or just inline the patch into the description, so it is really self-contained and not relying on external resources. I've done so for you now.
#10720 closed as a duplicate.