| From: | "Tom Hargrave" <Tomh(at)fisher(dot)co(dot)uk> |
|---|---|
| To: | undisclosed-recipients: ; |
| Subject: | Invalid SQL still executes valid sub transactions in Prepared Statement |
| Date: | 2004-01-16 14:04:06 |
| Message-ID: | s007ef62.028@mailhost.fisher.co.uk |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
Details:
If a piece of SQL is executed in a JDBC prepared statement that
includes a
semicolon and a valid piece of SQL, then the embedded valid piece of
SQL
still executes even though the overall statement is invalid.
Example:
select c1 from t1 order by;drop t2; c1
This causes security issues if the SQL is constructed from a web page
that
inputs strings that are used to construct a statement, since a hacker
can
embed SQL within a single field that executes regardless of the overall
statement being invalid.
See article:
http://www.computerweekly.com/articles/article.asp?liArticleID=127470&liFlavourID=1
**************************************************************************************************
CONFIDENTIAL AND PRIVILEGED INFORMATION
IMPORTANT: This message is intended for the addressee only and is privileged and
confidential. If you are not the addressee, then please DO NOT read, copy or
distribute it, but reply to the sender that you received it in error and delete it. Thank
you.
Fisher Scientific U.K., Limited.
Registered Office:
Bishop Meadow Road,
Loughborough LE11 5RG
England
Registered in England No: 2883961
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Csaba Nagy | 2004-01-16 15:03:28 | Re: Invalid SQL still executes valid sub transactions |
| Previous Message | Kris Jurka | 2004-01-16 08:47:47 | Re: jdbc1.AbstractJdbc1Statement.setBinaryStream bug and |