Java Mailing List Archive

http://www.gg3721.com/

Home » Hibernate Issues List »

[hibernate-issues] [Hibernate-JIRA] Commented: (HHH-3263) Postgres
dialect quoting defect

Anupam M (JIRA)

2008-05-14

Replies:

Author LoginPost Reply

  [ http://opensource.atlassian.com/projects/hibernate/browse/HHH-3263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_30188 ]

Stephan Fuhrmann commented on HHH-3263:
---------------------------------------

This problem comes from a wrongly created DB using postgres charset "LATIN-9".
Using postgres charset "UNICODE" works.

Besides this mistake it shouldn't be the DB's task to accidently issue dangerous stuff.


> Postgres dialect quoting defect
> -------------------------------
>
>           Key: HHH-3263
>           URL: http://opensource.atlassian.com/projects/hibernate/browse/HHH-3263
>         Project: Hibernate3
>       Issue Type: Bug
>   Affects Versions: 3.2.6
>      Environment: hibernate-3.2.6.ga, postgres 7.4.19, jdbc-driver postgresql-8.3-603.jdbc4.jar
>        Reporter: Stephan Fuhrmann
>        Priority: Critical
>      Attachments: hibernate.cfg.xml
>
>
> Special characters do not seem to be quoted / escaped. This makes the database parser throw an exception if it encounters such a unescaped String:
> org.hibernate.exception.DataException: could not insert collection: [org.fstool.io.fs.UserInfoAttributes.attributes#205]
>      at org.hibernate.exception.SQLStateConverter.convert(SQLStateConverter.java:77)
>      at org.hibernate.exception.JDBCExceptionHelper.convert(JDBCExceptionHelper.java:43)
>      at org.hibernate.persister.collection.AbstractCollectionPersister.recreate(AbstractCollectionPersister.java:1183)
>      at org.hibernate.action.CollectionRecreateAction.execute(CollectionRecreateAction.java:39)
>      at org.hibernate.engine.ActionQueue.execute(ActionQueue.java:279)
>      at org.hibernate.engine.ActionQueue.executeActions(ActionQueue.java:263)
>      at org.hibernate.engine.ActionQueue.executeActions(ActionQueue.java:171)
>      at org.hibernate.event.def.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:298)
>      at org.hibernate.event.def.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:27)
>      at org.hibernate.impl.SessionImpl.flush(SessionImpl.java:1000)
>      at sun.reflect.GeneratedMethodAccessor35.invoke(Unknown Source)
>      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>      at java.lang.reflect.Method.invoke(Method.java:597)
>      at org.hibernate.context.ThreadLocalSessionContext$TransactionProtectionWrapper.invoke(ThreadLocalSessionContext.java:301)
>      at $Proxy0.flush(Unknown Source)
>      ...
> Caused by: java.sql.BatchUpdateException: Batch-Eintrag 6 insert into attributes (id, property_name, property_value) values (205, 9, (¯`'<95>.?<95> a <95>?. <95>'?¯)) wurde abgebrochen. Rufen Sie 'getNextException' auf, um die Ursache zu erfahren.
>      at org.postgresql.jdbc2.AbstractJdbc2Statement$BatchResultHandler.handleError(AbstractJdbc2Statement.java:2537)
>      at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1328)
>      at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:351)
>      at org.postgresql.jdbc2.AbstractJdbc2Statement.executeBatch(AbstractJdbc2Statement.java:2674)
>      at org.hibernate.jdbc.BatchingBatcher.doExecuteBatch(BatchingBatcher.java:48)
>      at org.hibernate.jdbc.BatchingBatcher.addToBatch(BatchingBatcher.java:34)
>      at org.hibernate.persister.collection.AbstractCollectionPersister.recreate(AbstractCollectionPersister.java:1146)
>      ... 22 more
> The offending character seems to be ISO 8859-1 0xb4 (ACUTE ACCENT).
> The map file excerpt for this:
> ...
>           <map name="attributes">
>                 <key column="id"/>
>                 <index-many-to-many column="property_name" class="org.fstool.io.fs.AttributeKey"/>
>                 <element column="property_value" type="string"/> <!-- this hurts -->
>           </map>
> ...
> The application doesn't need to care about escaping because Hibernate does the job of O/R-mapping.
> The problem does NOT exist for the DerbyDialect - this works fine!
> Note: If characters get passed to the DB unescaped this is a security risk opening a hole for SQL injection! Therefore I marked this problem critical.

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://opensource.atlassian.com/projects/hibernate/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

   

_______________________________________________
hibernate-issues mailing list
hibernate-issues@(protected)
https://lists.jboss.org/mailman/listinfo/hibernate-issues
©2008 gg3721.com - Jax Systems, LLC, U.S.A.