Home > mailing lists

Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int) - Mailing list pgsql-jdbc

From	Oliver Jowett
Subject	Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int)
Date	July 23, 2003 00:11:28
Msg-id	20030723001106.GD31669@opencloud.com Whole thread Raw
In response to	Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int) (Barry Lind <blind@xythos.com>)
List	pgsql-jdbc

Tree view

On Tue, Jul 22, 2003 at 08:53:36AM -0700, Barry Lind wrote:
> Oliver,
>
> Yes that will no longer work.  But syntactically it shouldn't anyway.
> You are passing a set of strings and saying the type is NUMERIC.  What
> will still work is passing a set of numeric values:
>
>    stmt.setObject(1, "(1, 2, 3)", Types.NUMERIC);

I agree that it makes no sense syntantically, but it *is* a loophole we're
talking about here! Interpreting "(1,2,3)" as a NUMERIC type doesn't make
sense either.

Anyway, if the half-escaping doesn't break anything standard, fine. I'd just
rather not make the driver ugly for the sake of backwards compatibility with
a *subset* of the cases where setObject was used in a non-standard way :)

-O

pgsql-jdbc by date:

From: Joe Conway
Date: 22 July 2003, 21:51:22
Subject: Re: the IN clause saga

From: Oliver Jowett
Date: 23 July 2003, 00:14:32
Subject: Re: Detecting 'socket errors' - closing the Connection object

Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int) - Mailing list pgsql-jdbc

Previous

Next