From: | Fernando Nasser <fnasser(at)redhat(dot)com> |
---|---|
To: | Barry Lind <blind(at)xythos(dot)com> |
Cc: | Oliver Jowett <oliver(at)opencloud(dot)com>, pgsql-jdbc-list <pgsql-jdbc(at)postgresql(dot)org>, Kim Ho <kho(at)redhat(dot)com> |
Subject: | Re: Patch applied for SQL Injection vulnerability for setObject(int, Object, int) |
Date: | 2003-07-23 17:48:45 |
Message-ID: | 3F1ECA7D.3020002@redhat.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-jdbc |
Barry Lind wrote:
> Fernando,
>
>
> Fernando Nasser wrote:
>
>> What if my string (which is a string, not a list) contains the
>> characters "('a1', 'b2', 'c3')"? How do I set my parameter to such a
>> string with setObject?
>
>
> OK, now I understand your question. This will still work, just like it
> always has. The single quotes will be escaped before sending them to
> the backend and the result will be what you would expect.
>
> So if the query was: insert into foo (bar) values (?)
>
> stmt.setObject(1, "('a1', 'b2', 'c3')", Types.VARCHAR);
>
> would result in the following statement sent to the server:
>
> insert into foo (bar) values ('(\'a1\', \'b2\', \'c3\')')
>
> which will result in the value ('a1', 'b2', 'c3') being inserted.
>
OK, so far so good. And my other question is:
Can we pass a set of strings?
stmt.setObject(1, "('a1', 'b2', 'c3')", Types.VARCHAR);
will result into:
... where ... in (\'a1\', \'b2\', \'c3\') ...
while the proper syntax should be:
... where ... in ('a1', 'b2', 'c3') ...
or will the backend work even with the escaped quotes?
What was I refering to partial solution (or something of a sort) was the
fact that you can fill your IN predicate <in values list> if the
elements of the list are numeric values but not if the values where
VARCHARs.
--
Fernando Nasser
Red Hat Canada Ltd. E-Mail: fnasser(at)redhat(dot)com
2323 Yonge Street, Suite #300
Toronto, Ontario M4P 2C9
From | Date | Subject | |
---|---|---|---|
Next Message | Barry Lind | 2003-07-23 18:14:50 | Re: Patch applied for SQL Injection vulnerability for setObject(int, Object, int) |
Previous Message | Barry Lind | 2003-07-23 17:39:34 | Re: Patch applied for SQL Injection vulnerability for setObject(int, Object, int) |