446159 – [h2] Escape backslash in H2ElementDao

Bug 446159 - [h2] Escape backslash in H2ElementDao

Summary: [h2] Escape backslash in H2ElementDao

Status:	CLOSED FIXED

Alias:	None

Product:	DLTK
Classification:	Technology
Component:	Common (show other bugs)
Version:	5.1
Hardware:	All All

Importance:	P3 normal (vote)
Target Milestone:	5.1.1
Assignee:	dltk.common-inbox
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	457159
	Show dependency tree

Reported:	2014-10-07 08:55 EDT by Dawid Pakula
Modified:	2015-04-29 13:38 EDT (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dawid Pakula

2014-10-07 08:55:37 EDT

Since 5.1, DLTK passing strings to h2 via PreparedStatements (bug 419768)

Unfortunately backslashes (used for example in php namespaces) in sql "LIKE" are parsed. 

So instead of these lines:
// Prefix
else if (matchRule == MatchRule.PREFIX) {
 query.append(" AND NAME LIKE ?");
 parameters.add(pattern + "%");
}

should be:
else if (matchRule == MatchRule.PREFIX) {
 query.append(" AND NAME LIKE ?");
 parameters.add(pattern.replaceAll("\\\\", "\\\\\\\\") + "%");
}

Same for MatchRule.PATTERN, and MatchRule.PREFIX

Comment 1 Alex Panchenko

2014-10-07 09:19:10 EDT

As we don't need escaping here, I would suggest using:
like ? escape ''

see http://www.h2database.com/html/grammar.html#condition_right_hand_side

Verified with:

public class Bug446159 {
    public static void main(String[] args) throws Exception {
        try (Connection connection = DriverManager.getConnection("jdbc:h2:mem:A", "sa", "")) {
            try (Statement statement = connection.createStatement()) {
                statement.executeUpdate("create table test(name varchar(100))");
                statement.executeUpdate("insert into test values ('Alex')");
                statement.executeUpdate("insert into test values ('\\Alex')");
            }
            try (PreparedStatement preparedStatement = connection.prepareStatement("select * from test where name like ? escape ''")) {
                preparedStatement.setString(1, "\\%");
                preparedStatement.execute();
                try (ResultSet resultSet = preparedStatement.getResultSet()) {
                    while (resultSet.next()) {
                        System.out.println(resultSet.getString(1));
                    }
                }
            }
        }
    }
}


I'll push the fix, OK?

Comment 2 Dawid Pakula

2014-10-07 09:45:21 EDT

(In reply to Alex Panchenko from comment #1)
> I'll push the fix, OK?

OK, I'll test it ASAP

Comment 3 Alex Panchenko

2014-10-08 02:22:30 EDT

Fixed with http://git.eclipse.org/c/dltk/org.eclipse.dltk.core.git/commit/?id=ffc90a69c5cc5deff1448c141763071ad1aee50e

Comment 4 Dawid Pakula

2015-01-08 10:58:33 EST

I have to reopen. Disable escaping is bad idea, because "_" is a second LIKE wildcard. So it's not possible to search for methods started from "_".

Patch: https://git.eclipse.org/r/39213

Comment 5 Dawid Pakula

2015-04-29 13:38:45 EDT

Patch was merged long time ago [1], closing.

[1] - http://git.eclipse.org/c/dltk/org.eclipse.dltk.core.git/commit?id=03761a97270a9771882c7a165e9bb59fcbebefb4