395974 - our storage unit tests cause "WARNING: Unsafe use of LIKE detected!" warnings

Status: RESOLVED FIXED

(Toolkit :: Storage, defect)

Description

[(not reading, please use seth@sspitzer.org instead)]

our storage unit tests cause "WARNING: Unsafe use of LIKE detected!" warnings

WARNING: Unsafe use of LIKE detected!  Please ensure that you are usi
ng mozIStorageConnection::escapeStringForLIKE and that you are binding that
result to the statement to prevent SQL injection attacks.: file
c:/builds/trunk/mozilla/storage/src/mozStorageStatement.cpp, line 175

for example:

var stmt = createStatement("SELECT x FROM t1 WHERE x LIKE 'abc';");

shawn writes:  

Yeah, I noticed that when I had some failed tests too ;)

We could properly bind the parameters, but at the same time, we don't need to
here, so I'm rather indifferent.

I wrote:

given that we have this this warning on usage usuage change, and that people
tend to copy and paste code (even from tests), I think we should fix it.
but it is not a high priority.

Comment 1

[Shawn Wilsher :sdwilsh]

I'm still indifferent - I don't expect people to copy that test file's syntax, but I could be wrong :/

Comment 2

[Ondrej Brablc]

Attachment: Bind the value to avoid WARNING

I found this bug when analyzing 419642 and removing false warnings there. So I decided to fix this too.

Comment 3

[Ondrej Brablc]

Should I nominate this or is it not necessary?

Comment 4

[Shawn Wilsher :sdwilsh]

Comment on attachment 307465 [details] [diff] [review]
Bind the value to avoid WARNING

(In reply to comment #3)
> Should I nominate this or is it not necessary?
Don't bother - it's tests so you can land it without approval even.

Looks like our unicode tests were already done this way - yay!

r=sdwilsh

Comment 5

[Reed Loden [:reed]]

Checking in storage/test/unit/test_like.js;
/cvsroot/mozilla/storage/test/unit/test_like.js,v  <--  test_like.js
new revision: 1.3; previous revision: 1.2
done