| From: | Oliver Jowett <oliver(at)opencloud(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Barry Lind <blind(at)xythos(dot)com>, pgsql-jdbc-list <pgsql-jdbc(at)postgresql(dot)org>, Kim Ho <kho(at)redhat(dot)com>, Fernando Nasser <fnasser(at)redhat(dot)com> |
| Subject: | Re: Patch applied for SQL Injection vulnerability for setObject(int, Object, int) |
| Date: | 2003-07-22 13:39:09 |
| Message-ID: | 20030722133909.GD11354@opencloud.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
On Tue, Jul 22, 2003 at 09:33:53AM -0400, Tom Lane wrote:
> Oliver Jowett <oliver(at)opencloud(dot)com> writes:
> > ... won't this break code that does something like this? :
>
> > stmt = conn.prepareStatement("SELECT * FROM table WHERE string_key IN ?");
> > stmt.setObject(1, "('a', 'b', 'c')", Types.NUMERIC);
>
> Code that does that is just going to have to break. We should try to
> provide equivalent functionality in a less unsafe fashion; but
> backwards compatibility with code that is exploiting a security hole
> is not an option.
I agree; since we can't remain backwards-compatible in all cases, is it
worth doing the odd halfway-escaped thing for the sake of the remaining
cases?
-O
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Oliver Jowett | 2003-07-22 13:54:53 | patch: tiny patch to correct stringbuffer size estimate |
| Previous Message | Oliver Jowett | 2003-07-22 13:36:56 | patch: make setObject(...) more consistent about the types it generates |