| From: | Oliver Jowett <oliver(at)opencloud(dot)com> |
|---|---|
| To: | Barry Lind <blind(at)xythos(dot)com> |
| Cc: | pgsql-jdbc-list <pgsql-jdbc(at)postgresql(dot)org>, Kim Ho <kho(at)redhat(dot)com>, Fernando Nasser <fnasser(at)redhat(dot)com> |
| Subject: | Re: Patch applied for SQL Injection vulnerability for setObject(int, Object, int) |
| Date: | 2003-07-22 06:35:04 |
| Message-ID: | 20030722063504.GA10522@opencloud.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
On Mon, Jul 21, 2003 at 10:49:14PM -0700, Barry Lind wrote:
> Given the ongoing discussion that this SQL injection vulnerability has
> caused, I decided not to apply the below patch from Kim and instead
> fixed the problem in a different way. The fix essentially applies the
> regular escaping done for setString to appropriate values passed to
> setObject. It does not however add quotes to the value. Thus existing
> uses of setObject for in clause and array type values will still
> continue to work.
I haven't looked at the updated tree yet, but from your description won't
this break code that does something like this? :
stmt = conn.prepareStatement("SELECT * FROM table WHERE string_key IN ?");
stmt.setObject(1, "('a', 'b', 'c')", Types.NUMERIC);
-O
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Kovacs | 2003-07-22 07:48:36 | Re: Prepared Statements |
| Previous Message | Tom Lane | 2003-07-22 05:56:03 | Re: Prepared Statements |