Minor bug fix for Microsoft Access case expressions (like --common-tables) in UNION query SQL injection

2025-10-31 07:57:47 +03:00 · 2011-07-08 10:19:01 +00:00 · 2011-07-08 10:19:01 +00:00 · b5dd4d4a63
commit b5dd4d4a63
parent 02bfd05b20
3 changed files with 6 additions and 6 deletions
--- a/doc/THANKS
+++ b/doc/THANKS
@ -82,7 +82,7 @@ Pierre Chifflier <pollux@debian.org> and Mark Hymers <ftpmaster@debian.org>
    Debian project repository

 Chris Clements <cclements@flatearth.net>
-    for reporting a minor bug
+    for reporting a couple of bugs

 Andreas Constantinides <megahz@megahz.org>
    for reporting a minor bug
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@ -283,7 +283,7 @@ class Agent:
        if Backend.isDbms(DBMS.SQLITE):
            return field

-        if field.startswith("(CASE"):
+        if field.startswith("(CASE") or field.startswith("(IIF"):
            nulledCastedField = field
        else:
            nulledCastedField = (queries[Backend.getIdentifiedDbms()].cast.query % field) if not conf.noCast else field
@ -327,7 +327,7 @@ class Agent:
        if not Backend.getDbms():
            return fields

-        if fields.startswith("(CASE") or fields.startswith("SUBSTR") or fields.startswith("MID("):
+        if fields.startswith("(CASE") or fields.startswith("(IIF") or fields.startswith("SUBSTR") or fields.startswith("MID("):
            nulledCastedConcatFields = fields
        else:
            fields = fields.replace(", ", ",")
@ -598,7 +598,7 @@ class Agent:
            inbandQuery += query[conditionIndex:]

        if Backend.getIdentifiedDbms() in FROM_TABLE:
-            if " FROM " not in inbandQuery or "(CASE " in inbandQuery:
+            if " FROM " not in inbandQuery or "(CASE " in inbandQuery or "(IIF" in inbandQuery:
                inbandQuery += FROM_TABLE[Backend.getIdentifiedDbms()]

        if intoRegExp:
@ -748,7 +748,7 @@ class Agent:
        if Backend.getIdentifiedDbms() is not None and hasattr(queries[Backend.getIdentifiedDbms()], "case"):
            caseExpression = queries[Backend.getIdentifiedDbms()].case.query % expression

-            if Backend.getIdentifiedDbms() in FROM_TABLE and not caseExpression.upper().endswith(FROM_TABLE[Backend.getIdentifiedDbms()]):
+            if "(IIF" not in caseExpression and Backend.getIdentifiedDbms() in FROM_TABLE and not caseExpression.upper().endswith(FROM_TABLE[Backend.getIdentifiedDbms()]):
                caseExpression += FROM_TABLE[Backend.getIdentifiedDbms()]

        return caseExpression
--- a/xml/queries.xml
+++ b/xml/queries.xml
@ -356,7 +356,7 @@
        <comment query="%00"/>
        <timedelay/>
        <substring query="MID((%s),%d,%d)"/>
-        <case query="IIF(%s,1,0)"/>
+        <case query="SELECT (IIF(%s,1,0))"/>
        <banner/>
        <!--CURRENTUSER() is not available outside the MS Access query tool itself-->
        <current_user/>