Re: Invalid SQL still executes valid sub transactions in Prepared Statement - Mailing list pgsql-jdbc

From Paul Thomas
Subject Re: Invalid SQL still executes valid sub transactions in Prepared Statement
Date
Msg-id 20040116152639.A28319@bacon
Whole thread Raw
In response to Invalid SQL still executes valid sub transactions in Prepared Statement  ("Tom Hargrave" <Tomh@fisher.co.uk>)
List pgsql-jdbc
On 16/01/2004 14:04 Tom Hargrave wrote:
> Details:
>
> If a piece of SQL is executed in a JDBC prepared statement that
> includes a
> semicolon and a valid piece of SQL, then the embedded valid piece of
> SQL
> still executes even though the overall statement is invalid.
>
> Example:
>
> select c1 from t1 order by;drop t2; c1
>
> This causes security issues if the SQL is constructed from a web page
> that
> inputs strings that are used to construct a statement, since a hacker
> can
> embed SQL within a single field that executes regardless of the overall
>
> statement being invalid.

Use java.sql.PreparedStatement instead of java.sql.Statement. The driver
will safely escape the user-entered string so that SQL Injection cannot
take place. Look through the archives for list (IRC last summer-ish). ISTR
we had some discussion on SQL Injection and some patches to the driver
were submitted.

>
> See article:
>
> http://www.computerweekly.com/articles/article.asp?liArticleID=127470&liFlavourID=1

There are undoubtably better resources on the net regarding this subject
and how to avoid it as well as best-practice web application design.


--
Paul Thomas
+------------------------------+---------------------------------------------+
| Thomas Micro Systems Limited | Software Solutions for the Smaller
Business |
| Computer Consultants         |
http://www.thomas-micro-systems-ltd.co.uk   |
+------------------------------+---------------------------------------------+

pgsql-jdbc by date:

Previous
From: Csaba Nagy
Date:
Subject: Re: Invalid SQL still executes valid sub transactions
Next
From: "Alessandro Depase"
Date:
Subject: getTables or code problem?