Home > mailing lists

Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int) - Mailing list pgsql-jdbc

From	Oliver Jowett
Subject	Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int)
Date	July 22, 2003 06:38:37
Msg-id	20030722063504.GA10522@opencloud.com Whole thread Raw
In response to	Patch applied for SQL Injection vulnerability for setObject(int,Object,int) (Barry Lind <blind@xythos.com>)
Responses	Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int) (Tom Lane <tgl@sss.pgh.pa.us>) Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int) (Barry Lind <blind@xythos.com>)
List	pgsql-jdbc

Tree view

On Mon, Jul 21, 2003 at 10:49:14PM -0700, Barry Lind wrote:

> Given the ongoing discussion that this SQL injection vulnerability has
> caused, I decided not to apply the below patch from Kim and instead
> fixed the problem in a different way.  The fix essentially applies the
> regular escaping done for setString to appropriate values passed to
> setObject.  It does not however add quotes to the value.  Thus existing
> uses of setObject for in clause and array type values will still
> continue to work.

I haven't looked at the updated tree yet, but from your description won't
this break code that does something like this? :

  stmt = conn.prepareStatement("SELECT * FROM table WHERE string_key IN ?");
  stmt.setObject(1, "('a', 'b', 'c')", Types.NUMERIC);

-O

pgsql-jdbc by date:

From: Barry Lind
Date: 22 July 2003, 06:07:09
Subject: Patch applied for SQL Injection vulnerability for setObject(int,Object,int)

From: "Sylwester Rutkowski"
Date: 22 July 2003, 09:47:48
Subject: inet type handling

Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int) - Mailing list pgsql-jdbc

Previous

Next