376052 – Using quotes " for identifiers has side effects for SQLite

Bug 376052 - Using quotes " for identifiers has side effects for SQLite

Summary: Using quotes " for identifiers has side effects for SQLite

Status:	CLOSED FIXED

Alias:	None

Product:	KDb
Classification:	Frameworks and Libraries
Component:	Driver: SQLite (show other bugs)
Version:	3.0.0
Platform:	Other Linux

Importance:	HI major
Target Milestone:	3.1
Assignee:	Jarosław Staniek

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-02-05 13:47 UTC by Jarosław Staniek
Modified:	2017-02-05 23:33 UTC (History)
CC List:	0 users

See Also:
Latest Commit:	https://commits.kde.org/kdb/46c6f293426de943319b74b8f398bb6803aa1a2d
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Jarosław Staniek 2017-02-05 13:47:58 UTC

From https://www.sqlite.org/lang_keywords.html:

RULE[*] "If a keyword in double quotes (ex: "key" or "glob") is used in a context where it cannot be resolved to an identifier but where a string literal is allowed, then the token is understood to be a string literal instead of an identifier."

So for table T(A TEXT) this query works:

SELECT * FROM T WHERE "A1"='A1';

And it even returns all rows of T.

Expected: "identifier not found" error at SQLite level.

Notes: Kexi parses the KDbSQL query supplied by the user so there's no issue in the Query Designer's SQL editor. But APIs such as KDb::deleteRecords() use the native queries through calls such as KDbConnection::executeVoidSQL("DELETE FROM %1 WHERE %2=%3"). 

Proposed solution: Instead of using " quotes for identifiers, use []. This way the RULE[*] will not be applied. This is a global solution for the SQLite driver so altering the SQL commands constructed internally is not needed if they are use KDbConnection::escapeIdentifier().

Comment 1 Jarosław Staniek 2017-02-05 13:50:42 UTC

The issue has been found during the creation of autotests for KDb::deleteRecords():

https://phabricator.kde.org/D4131#inline-17777

Comment 2 Jarosław Staniek 2017-02-05 23:32:42 UTC

Git commit 46c6f293426de943319b74b8f398bb6803aa1a2d by Jaroslaw Staniek.
Committed on 05/02/2017 at 23:31.
Pushed by staniek into branch 'master'.

Fix issues because of using " quotes for identifiers in SQLite driver

Use the [...] notation instead.

Details:

>From https://www.sqlite.org/lang_keywords.html:

RULE[*] "If a keyword in double quotes (ex: "key" or "glob") is used in a context where it cannot be resolved to an identifier but where a string literal is allowed, then the token is understood to be a string literal instead of an identifier."

So for table T(A TEXT) this query works:

SELECT * FROM T WHERE "A1"='A1';

And it even returns all rows of T.

Expected: "identifier not found" error at SQLite level.

Notes: Kexi parses the KDbSQL query supplied by the user so there's no issue in the Query Designer's SQL editor. But APIs such as KDb::deleteRecords() use the native queries through calls such as KDbConnection::executeVoidSQL("DELETE FROM %1 WHERE %2=%3").

Solution: Instead of using " quotes for identifiers, use []. This way the RULE[*] will not be applied. This is a global solution for the SQLite driver so altering the SQL commands constructed internally is not needed if they are use KDbConnection::escapeIdentifier().

M  +6    -4    src/KDbDriver.cpp
M  +2    -1    src/KDbDriver.h
M  +7    -2    src/KDbDriverBehavior.h
M  +2    -1    src/KDbDriver_p.cpp
M  +2    -1    src/drivers/mysql/MysqlDriver.cpp
M  +2    -1    src/drivers/postgresql/PostgresqlDriver.cpp
M  +2    -1    src/drivers/sqlite/SqliteDriver.cpp
M  +2    -1    src/drivers/sybase/SybaseDriver.cpp
M  +2    -1    src/drivers/xbase/XbaseDriver.cpp

https://commits.kde.org/kdb/46c6f293426de943319b74b8f398bb6803aa1a2d