When I am executing the SQL query below against A Firebird database (version 3.0.9) running on a Windows 10 64 bit PC.
SELECT * FROM AliasName WHERE AliasId=3. or 1=1--
I expected the query to fail with an error, but strangely Firebird executes the query without any problem and returns all the three rows in the 'AliasName' table
I searched Google regarding the usage of the '.' operator in Firebird, but couldn't find anything that relates to the issue I am facing.
The dot is not an operator, it is the decimal separator. This is SQL standard syntax for an exact numeric literal, and Firebird follows that syntax here. Quoting from the ISO/IEC 9075-2:2016 ("the SQL standard"):
<exact numeric literal> ::=
<unsigned integer> [ <period> [ <unsigned integer> ] ]
| <period> <unsigned integer>
This production rule makes 3. as valid as 3. In other words, it allows you to specify the decimal dot without specifying any digits after the dot. This is also not specific to Firebird, most if not all SQL implementations apply this syntax rule.
This is also specified in the section Number literals of the chapter Common Language Elements in the Firebird 3.0 Language Reference:
| Format | Type |
|---|---|
| ... | ... |
<d>[<d> …] "." [<d> …] |
NUMERIC(18, n) where n depends on the number of digits after the decimal point |
The difference is that in Firebird the literal 3 is typed as an INTEGER, while 3. is typed as a BIGINT (or NUMERIC(18, 0)).