Lets say I have the following query:
select * from scribe where ServerName=&s1 union select * from scribe where ServerName=&s1 select * from scribe where ServerName=&s1 union select * from scribe where ServerName=&s1
W/ parameterized scripts turned on, when I execute this query, I'm prompted to specify the value of 's1'. After specify & pressing "Execute" button, I get an error stating that I have an error in my SQL syntax. The generated query that ADStudio tries to execute is below. Notice that ADStudio did not substitue a value for 's1'
select * from scribe where ServerName='s1' union select * from scribe where ServerName='s1' select * from scribe where ServerName='s1' union select * from scribe where ServerName='s1'
This is the simplest query that fails :
select * from scribe
where &ua
and Referrer = ''
union
select ',' from scribe
where &ua
and Referrer = ''
If you take out either single quote, or the ',' then it works.
The parameter parser was treating two single quotes as one (escaped) quote. The fix is to only observe escaped quote inside a quote.
The parameter parser was treating two single quotes as one (escaped) quote. The fix is to only observe escaped quote inside a quote.
Note to QA: we need to perform significant amount of regression testing around parameterized scripts. We have customers w/ 100s of highly complex parameterized scripts.
Note to QA: we need to perform significant amount of regression testing around parameterized scripts. We have customers w/ 100s of highly complex parameterized scripts.
Verified in 13.0-rc-6. ADStudio now substitutes the value for 's1'. I was not able to replicate the error with ADS 12.0.16-1
Verified in 13.0-rc-6. ADStudio now substitutes the value for 's1'. I was not able to replicate the error with ADS 12.0.16-1
Use this query against SQL Server 2008 R2 against Northwind database
select * from Orders where
OrderID = &1d=10428 and
ShipName='\&Ship='Reggiani Caseifici''
union
select * from Orders where
OrderID = &1d=10428 and
ShipName='&Ship'
go
Use this query against SQL Server 2008 R2 against Northwind database
select * from Orders where
OrderID = &1d=10428 and
ShipName='\&Ship='Reggiani Caseifici''
union
select * from Orders where
OrderID = &1d=10428 and
ShipName='&Ship'
go
Issue #7873 |
Closed |
Fixed |
Resolved |
Completion |
No due date |
Fixed Build 13.0-rc-6 |
No time estimate |
This is the simplest query that fails :
select * from scribe
where &ua
and Referrer = ''
union
select ',' from scribe
where &ua
and Referrer = ''
If you take out either single quote, or the ',' then it works.