| From: | Barry Lind <blind(at)xythos(dot)com> |
|---|---|
| To: | Fernando Nasser <fnasser(at)redhat(dot)com> |
| Cc: | Oliver Jowett <oliver(at)opencloud(dot)com>, pgsql-jdbc-list <pgsql-jdbc(at)postgresql(dot)org>, Kim Ho <kho(at)redhat(dot)com> |
| Subject: | Re: Patch applied for SQL Injection vulnerability for setObject(int, Object, int) |
| Date: | 2003-07-23 17:39:34 |
| Message-ID: | 3F1EC856.8020307@xythos.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
Fernando,
Fernando Nasser wrote:
> What if my string (which is a string, not a list) contains the
> characters "('a1', 'b2', 'c3')"? How do I set my parameter to such a
> string with setObject?
OK, now I understand your question. This will still work, just like it
always has. The single quotes will be escaped before sending them to
the backend and the result will be what you would expect.
So if the query was: insert into foo (bar) values (?)
stmt.setObject(1, "('a1', 'b2', 'c3')", Types.VARCHAR);
would result in the following statement sent to the server:
insert into foo (bar) values ('(\'a1\', \'b2\', \'c3\')')
which will result in the value ('a1', 'b2', 'c3') being inserted.
thanks,
--Barry
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Fernando Nasser | 2003-07-23 17:48:45 | Re: Patch applied for SQL Injection vulnerability for setObject(int, Object, int) |
| Previous Message | Dmitry Tkach | 2003-07-23 17:28:23 | Re: Patch applied for SQL Injection vulnerability for setObject(int, Object, int) |