Author Topic: Error when updating attribute constraint containing single quote  (Read 1631 times)

Geert Bellekens

  • EA Guru
  • *****
  • Posts: 11251
  • Karma: +415/-33
  • Make EA work for YOU!
    • View Profile
    • Enterprise Architect Consultant and Value Added Reseller
Details:
I have an add-in that copies attribute constraints.
Recently we had an error when copying because one of the attribute constraints contained two single quotes.
This resulted in a database error, which was caught by my add-in.
The DBError.txt read:
22-04-2021 07:44:46
Microsoft OLE DB Provider for SQL Server [0x80040e14]

Incorrect syntax near 'quotes'.

Context:
select * from t_attributeconstraints where ID=727432 and [Constraint]='constraint with two single 'quotes''

What happened here obviously is that the code forgot to make the name of the constraint SQL safe and escape the single quotes (SQL injection anyone?)

When trying to reproduce the same in a script I was surprised that I didn't get an error. After investigating I found that the error actually happened (and was written to dberror.txt), but had been swallowed by EA. My update didn't work, and EA didn't let me know


Steps to Reproduce:
- create an attribute with a attribute constraint containing two single quotes in the name
- execute the following script (using the correct attribute guid
- notice that the update didn't happen
- open dbError.txt and notice the swallowed error in there

Code: [Select]
option explicit

!INC Local Scripts.EAConstants-VBScript

sub main
dim attribute as EA.Attribute
set attribute = Repository.GetAttributeByGuid("{6C820356-61E4-4359-93AB-0F8F98128238}")
dim constraint as EA.AttributeConstraint
for each constraint in attribute.Constraints
constraint.Notes = constraint.Notes & "+;"
Session.Output constraint.Notes
constraint.Update
attribute.Update
next
end sub

main

Reported

Geert