Csaba Nagy <nagy@ecircle-ag.com> writes:
> The JDBC driver should not do any parsing of the SQL code in the first
> place. That's the job of the server, so only the server can tell it's an
> invalid statemnt.
> And the server will interpret it as 3 different statements, treating
> them independently, and 2 of them will be invalid, and one will execute
> correctly...
But if the three statements are sent as a single query string, a failure
in any one will cause all three to be rolled back. The complaint
suggests to me that JDBC *is* parsing the code, at least to the extent
of separating the statements. Probably it should not.
Now, the real answer to the security aspect of this is "you should be
more careful about quoting strings from untrusted sources". (Parameters
are just one way to do that.) But I am curious to understand what
exactly JDBC is doing with a multi-statement query string.
regards, tom lane
