Home > mailing lists

BUG #1049: Invalid SQL Executed as JDBC Prepared Statement still executes embedded SQL - Mailing list pgsql-bugs

From	PostgreSQL Bugs List
Subject	BUG #1049: Invalid SQL Executed as JDBC Prepared Statement still executes embedded SQL
Date	January 14, 2004 11:48:37
Msg-id	20040114124804.0D1E2CF4A06@www.postgresql.com Whole thread Raw
Responses	Re: BUG #1049: Invalid SQL Executed as JDBC Prepared Statement still executes embedded SQL
List	pgsql-bugs

Tree view

The following bug has been logged online:

Bug reference:      1049
Logged by:          Tom Hargrave

Email address:      tomh@fisher.co.uk

PostgreSQL version: 7.3.2

Operating system:   Linux

Description:        Invalid SQL Executed as JDBC Prepared Statement still
executes embedded SQL

Details:

If a piece of SQL is executed in a JDBC prepared statement that includes a
semicolon and a valid piece of SQL, then the embedded valid piece of SQL
still executes even though the overall statement is invalid.

Example:

select c1 from t1 order by;drop t2; c1

This causes security issues if the SQL is constructed from a web page that
inputs strings that are used to construct a statement, since a hacker can
embed SQL within a single field that executes regardless of the overall
statement being invalid.

See article:

http://www.computerweekly.com/articles/article.asp?liArticleID=127470&liFla
vourID=1

pgsql-bugs by date:

From: Tom Lane
Date: 13 January 2004, 15:34:57
Subject: Re: Probably a security bug in PostgreSQL rule system

From: Richard Huxton
Date: 14 January 2004, 14:16:05
Subject: Re: BUG #1049: Invalid SQL Executed as JDBC Prepared Statement still executes embedded SQL

BUG #1049: Invalid SQL Executed as JDBC Prepared Statement still executes embedded SQL - Mailing list pgsql-bugs

Previous

Next