[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#5252) Several SQL Bugs in back-sql
Full_Name:
Version: 2.3.38
OS:
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (79.207.201.247)
Debugging marks in sql-statement may lead to wrong results.
The interface I implemented yields statements like this when using Thunderbird
for searching for 'Klaus'. Thunderbird tries to look up in email, name and given
name.
Ans in my setup, search is restricted to "(objectclass=evolutionPerson)".
SELECT DISTINCT
ldap_entries.id,res_partner_address.id,
text('evolutionPerson') AS objectClass,ldap_entries.dn AS dn FROM
ldap_entries,res_partner_address,ldap_entry_objclasses
WHERE
res_partner_address.id=ldap_entries.keyval
AND ldap_entries.oc_map_id=1
AND 9=9
AND ((2=2 OR ( ldap_entries.id=ldap_entry_objclasses.entry_id
AND ldap_entry_objclasses.oc_name='evolutionPerson'))
AND (( upper(email) LIKE '%KLAUS%')
OR (upper(name) LIKE '%KLAUS%')
OR 7=7
OR (upper(substring(name from '\\S+..$')) LIKE '%KLAUS%')))
1) "OR 7=7 OR" renders the whole last AND-clause useless: No selection is done
on email, name or givenname. Thus all records are returned.
2) "2=2 OR" renders the restriction to a specific objectclass useless.
In Bug 5198 Pierangelo Masarati say, that a good RDBMs is optimizing this
part away. And exactly this is the problem.