| From: | Fernando Nasser <fnasser(at)redhat(dot)com> |
|---|---|
| To: | Dmitry Tkach <dmitry(at)openratings(dot)com> |
| Cc: | Barry Lind <blind(at)xythos(dot)com>, wsheldah(at)lexmark(dot)com, "pgsql-jdbc (at) postgresql (dot) org" <pgsql-jdbc(at)postgresql(dot)org> |
| Subject: | Re: Prepared Statements |
| Date: | 2003-07-18 15:20:52 |
| Message-ID: | 3F181054.5080707@redhat.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
Dmitry Tkach wrote:
> Fernando Nasser wrote:
>
>>>
>>
>> I don't believe this is actually being sent to the backend, maybe it
>> is just a toString() bug.
>
>
> You better do believe it. I tried it, and it works. :-)
>
>>
>> The backend should get:
>>
>> select * from user where id='null;drop database mydb'
>>
>> (If it does not it is a bug.)
>
>
> Nah... That's what it would get if you did setString()... setObject ()
> doesn't work that way.
> I tend to agree, it's a bug - if the type is INTEGER, it should be
> checking if the object, passed in is really numeric.
>
> The thing is that, at least, in the current state of the driver, this is
> a *really nice* bug, that gives you the only way to use certain
> functionality....
> For example:
>
> PreparedStatement stmt = c.prepareStatement ("select * from mytable
> where data in ?");
> stmt.setObject (1, "(1,2,3,4,5)", Types.INTEGER);
>
> ... if the "bug" was fixed, there would be no other way to do this kind
> of thing :-(
>
Well, I guess the bug will have be fixed asap as it is a security risk.
What is the proper JDBC way for filling IN lists in prepared statements?
--
Fernando Nasser
Red Hat Canada Ltd. E-Mail: fnasser(at)redhat(dot)com
2323 Yonge Street, Suite #300
Toronto, Ontario M4P 2C9
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dmitry Tkach | 2003-07-18 15:21:11 | Re: setFetchSize() |
| Previous Message | Dmitry Tkach | 2003-07-18 15:18:10 | Re: Prepared Statements |