Derby
  1. Derby
  2. DERBY-1433

Client driver does not handle string literals containing "where current of" correctly

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 10.2.1.6
    • Fix Version/s: None
    • Component/s: Network Client, SQL
    • Urgency:
      Normal

      Description

      If a string literal contains 'where current of something', the client driver tries to substitute 'something' with the corresponding cursor name on the server. This can lead to an exception being raised (no such cursor) or the string literal being modified. See attached repro.

      The bug is also present in JCC.

      1. cursor.java
        1.0 kB
        Knut Anders Hatlen

        Activity

        Hide
        Knut Anders Hatlen added a comment -

        Attached a repro for the bug (cursor.java).

        When the program is run, it is supposed to print
        Writing where current of in SQL is bad!
        but instead it prints
        Writing where current of SQL_CURLH000C1 SQL is bad!

        Show
        Knut Anders Hatlen added a comment - Attached a repro for the bug (cursor.java). When the program is run, it is supposed to print Writing where current of in SQL is bad! but instead it prints Writing where current of SQL_CURLH000C1 SQL is bad!
        Hide
        Rick Hillegas added a comment -

        Moving to 10.2.2.0.

        Show
        Rick Hillegas added a comment - Moving to 10.2.2.0.
        Hide
        Bernt M. Johnsen added a comment -

        The result of the repo in 10.2.1.6 is
        Exception in thread "main" java.sql.SQLException: Cursor name 'IN' is already in use
        at org.apache.derby.client.am.SQLExceptionFactory.getSQLException(Unknown Source)
        at org.apache.derby.client.am.SqlException.getSQLException(Unknown Source)
        at org.apache.derby.client.am.Statement.executeQuery(Unknown Source)
        at cursor.main(cursor.java:22)
        Caused by: org.apache.derby.client.am.SqlException: Cursor name 'IN' is already in use
        at org.apache.derby.client.am.Statement.checkForDuplicateCursorName(Unknown Source)
        at org.apache.derby.client.am.Statement.flowExecute(Unknown Source)
        at org.apache.derby.client.am.Statement.executeQueryX(Unknown Source)
        ... 2 more

        Show
        Bernt M. Johnsen added a comment - The result of the repo in 10.2.1.6 is Exception in thread "main" java.sql.SQLException: Cursor name 'IN' is already in use at org.apache.derby.client.am.SQLExceptionFactory.getSQLException(Unknown Source) at org.apache.derby.client.am.SqlException.getSQLException(Unknown Source) at org.apache.derby.client.am.Statement.executeQuery(Unknown Source) at cursor.main(cursor.java:22) Caused by: org.apache.derby.client.am.SqlException: Cursor name 'IN' is already in use at org.apache.derby.client.am.Statement.checkForDuplicateCursorName(Unknown Source) at org.apache.derby.client.am.Statement.flowExecute(Unknown Source) at org.apache.derby.client.am.Statement.executeQueryX(Unknown Source) ... 2 more
        Hide
        Bernt M. Johnsen added a comment -

        The code in java/client/org/apache/derby/client/am/Statement.java just localizes the last "where" before the last "current" and uses the StringTokenizer to check wether it is "where current of", and considers the next token after "of" to be the cursor name. No code to cope with string literals, quoted identifiers (if someone where to name a table or column as "where current of foo") nor comments.

        A somewhat more intelligent parser is needed.

        Show
        Bernt M. Johnsen added a comment - The code in java/client/org/apache/derby/client/am/Statement.java just localizes the last "where" before the last "current" and uses the StringTokenizer to check wether it is "where current of", and considers the next token after "of" to be the cursor name. No code to cope with string literals, quoted identifiers (if someone where to name a table or column as "where current of foo") nor comments. A somewhat more intelligent parser is needed.
        Hide
        Bernt M. Johnsen added a comment -

        There's more to it. There are several instance of ad-hoc pasing in java/client/org/apache/derby/client/am/Statement.java. E.g. when figuring out what kind of statement it is (QUERY, UPDATE, INSERT, DELETE, CALL etc), when {?=CALL(.....)} is unescaped (Why is that necassry for CALL when it's not needed for other escapes).

        The proper solution would be one lightweight parser for all these needs (The even more proper solution would have been a network protocol on a semantic layer where such client parsing were unecessary).

        Show
        Bernt M. Johnsen added a comment - There's more to it. There are several instance of ad-hoc pasing in java/client/org/apache/derby/client/am/Statement.java. E.g. when figuring out what kind of statement it is (QUERY, UPDATE, INSERT, DELETE, CALL etc), when {?=CALL(.....)} is unescaped (Why is that necassry for CALL when it's not needed for other escapes). The proper solution would be one lightweight parser for all these needs (The even more proper solution would have been a network protocol on a semantic layer where such client parsing were unecessary).
        Hide
        Rick Hillegas added a comment -

        Unknown release vehicle.

        Show
        Rick Hillegas added a comment - Unknown release vehicle.
        Hide
        Bernt M. Johnsen added a comment -

        This is a larger issue, and the client driver needs some kind of a light-weight parser to deal this and related issues. See previous commnt. I unassign myself from this one (at least for the moment).

        Show
        Bernt M. Johnsen added a comment - This is a larger issue, and the client driver needs some kind of a light-weight parser to deal this and related issues. See previous commnt. I unassign myself from this one (at least for the moment).
        Hide
        Kathey Marsden added a comment -

        Taking off of High Value Fix. Although important, the fix is somewhat complex with the introduction of a parser of some sort in the client.

        Show
        Kathey Marsden added a comment - Taking off of High Value Fix. Although important, the fix is somewhat complex with the introduction of a parser of some sort in the client.

          People

          • Assignee:
            Unassigned
            Reporter:
            Knut Anders Hatlen
          • Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:

              Development