Home > mailing lists

Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int) - Mailing list pgsql-jdbc

From	Oliver Jowett
Subject	Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int)
Date	July 22, 2003 13:46:17
Msg-id	20030722133909.GD11354@opencloud.com Whole thread Raw
In response to	Re: Prepared Statements (wsheldah@lexmark.com)
List	pgsql-jdbc

Tree view

On Tue, Jul 22, 2003 at 09:33:53AM -0400, Tom Lane wrote:
> Oliver Jowett <oliver@opencloud.com> writes:
> > ... won't this break code that does something like this? :
>
> >   stmt = conn.prepareStatement("SELECT * FROM table WHERE string_key IN ?");
> >   stmt.setObject(1, "('a', 'b', 'c')", Types.NUMERIC);
>
> Code that does that is just going to have to break.  We should try to
> provide equivalent functionality in a less unsafe fashion; but
> backwards compatibility with code that is exploiting a security hole
> is not an option.

I agree; since we can't remain backwards-compatible in all cases, is it
worth doing the odd halfway-escaped thing for the sake of the remaining
cases?

-O

pgsql-jdbc by date:

From: Paul Thomas
Date: 22 July 2003, 11:04:48
Subject: Re: IN clauses via setObject(Collection) [Was: Re: Prepared

From: Tom Lane
Date: 22 July 2003, 13:49:41
Subject: Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int)

Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int) - Mailing list pgsql-jdbc

Previous

Next