| From: | Dmitry Tkach <dmitry(at)openratings(dot)com> |
|---|---|
| To: | Csaba Nagy <nagy(at)ecircle-ag(dot)com> |
| Cc: | Paul Thomas <paul(at)tmsl(dot)demon(dot)co(dot)uk>, "(dot) org \" <pgsql-jdbc(at)postgresql(dot)org>"(at)svr1(dot)postgresql(dot)org |
| Subject: | Re: Prepared Statements |
| Date: | 2003-07-17 15:27:23 |
| Message-ID: | 3F16C05B.3030109@openratings.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
>
>
>In my understanding the prepared statement will properly escape any
>parameter so it can be trusted that the resulting query will not contain
>something you wouldn't expect. Example (< and > are delimiters, ignore
>them):
>
>query: <SELECT * from address_book WHERE name = ?>
>
>input: <joe';delete from address_book where 'true>
>
>result if you just replace the <?> with <'$input'>:
>SELECT * from address_book WHERE name = 'joe';delete from address_book
>where 'true'
>-> results in 2 statements executed
>
Nope. You missed a quote :-)
The resulting query would be:
SELECT * from address_book WHERE name = 'joe'';delete from address_book
where 'true';
This will be a syntax error - not "2 statements executed"... not even
one statement :-)
But that's not the point anyway.
The app that accepts user input the way you describe and just puts
quotes around it is of little use anyway ...
To be useful, it would have to take care about escaping the special
characters on its own - not even to prevent "injection attacs", but just
to be functional in the way that doesn't generate unexpected syntax
errors (or just totally wrong data being entered) just because the
user's input happens to contain a character that has a special meaning
to the parser.
Dima
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Paul Thomas | 2003-07-17 15:38:47 | Re: setFetchSize |
| Previous Message | Csaba Nagy | 2003-07-17 15:14:37 | Re: Prepared Statements |