Re: Prepared Statements

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Peter Kovacs <peter(dot)kovacs(at)siemens(dot)com>
Cc: Fernando Nasser <fnasser(at)redhat(dot)com>, Dima Tkach <dmitry(at)openratings(dot)com>, Oliver Jowett <oliver(at)opencloud(dot)com>, Kim Ho <kho(at)redhat(dot)com>, Barry Lind <blind(at)xythos(dot)com>, pgsql-jdbc-list <pgsql-jdbc(at)postgresql(dot)org>, Dave Cramer <Dave(at)micro-automation(dot)net>
Subject: Re: Prepared Statements
Date: 2003-07-22 05:56:03
Message-ID: 3944.1058853363@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-jdbc

Peter Kovacs <peter(dot)kovacs(at)siemens(dot)com> writes:
> I think that the simplest thing would be to have an option in the
> backend to disable processing of multiple statements in one query --
> i.e. disallow the use of ';' as a separator of statements.

FWIW, the new "extended query" protocol has exactly such a restriction.
However that hardly excuses any sloppiness in allowing
non-syntax-checked parameter values through. Consider changing
"WHERE x < ?" to
"WHERE x < 42 AND my_function_with_interesting_side_effects()"

No semicolons in sight, but I can still clean out your bank balance ;-)

regards, tom lane

In response to

Responses

Browse pgsql-jdbc by date

  From Date Subject
Next Message Oliver Jowett 2003-07-22 06:35:04 Re: Patch applied for SQL Injection vulnerability for setObject(int, Object, int)
Previous Message Kris Jurka 2003-07-22 05:52:20 Re: Prepared Statements