Re: Prepared Statements - Mailing list pgsql-jdbc

From Dmitry Tkach
Subject Re: Prepared Statements
Date
Msg-id 3F16C05B.3030109@openratings.com
Whole thread Raw
In response to Re: Prepared Statements  (Csaba Nagy <nagy@ecircle-ag.com>)
Responses Re: Prepared Statements
List pgsql-jdbc
>
>
>In my understanding the prepared statement will properly escape any
>parameter so it can be trusted that the resulting query will not contain
>something you wouldn't expect. Example (< and > are delimiters, ignore
>them):
>
>query: <SELECT * from address_book WHERE name = ?>
>
>input: <joe';delete from address_book where 'true>
>
>result if you just replace the <?> with <'$input'>:
>SELECT * from address_book WHERE name = 'joe';delete from address_book
>where 'true'
>-> results in 2 statements executed
>
Nope. You missed a quote :-)

The resulting query would be:
SELECT * from address_book WHERE name = 'joe'';delete from address_book 
where 'true';

This will be a syntax error - not "2 statements executed"... not even 
one statement :-)

But that's not the point anyway.
The app that accepts user input the way you describe and just puts 
quotes around it is of little use anyway ...
To be useful, it would have to take care about escaping the special 
characters on its own - not even to prevent "injection attacs", but just 
to be functional in the way that doesn't generate unexpected syntax 
errors (or just totally wrong data being entered)  just because the 
user's input happens to contain a character that has a special meaning 
to the parser.

Dima




pgsql-jdbc by date:

Previous
From: Csaba Nagy
Date:
Subject: Re: Prepared Statements
Next
From: Paul Thomas
Date:
Subject: Re: setFetchSize