On Wednesday 14 January 2004 12:48, PostgreSQL Bugs List wrote:
> The following bug has been logged online:
>
> Bug reference: 1049
> Logged by: Tom Hargrave
> Email address: tomh@fisher.co.uk
> Description: Invalid SQL Executed as JDBC Prepared Statement still
> executes embedded SQL
> select c1 from t1 order by;drop t2; c1
Does JDBC not include the ability to escape supplied parameters so "dangerous"
characters are handled properly? Or are you saying that it fails to deal with
semicolons?
> This causes security issues if the SQL is constructed from a web page that
> inputs strings that are used to construct a statement, since a hacker can
> embed SQL within a single field that executes regardless of the overall
> statement being invalid.
NEVER allow unchecked data from an untrusted user into your system. This is
standard security practice.
--
Richard Huxton
Archonet Ltd
