Home > mailing lists

Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int) - Mailing list pgsql-jdbc

From	Fernando Nasser
Subject	Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int)
Date	July 23, 2003 14:05:53
Msg-id	3F1E84DD.5000008@redhat.com Whole thread Raw
In response to	Re: Prepared Statements (wsheldah@lexmark.com)
Responses	Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int) (Barry Lind <blind@xythos.com>)
List	pgsql-jdbc

Tree view

Barry Lind wrote:
> Oliver,
>
> Yes that will no longer work.  But syntactically it shouldn't anyway.
> You are passing a set of strings and saying the type is NUMERIC.  What
> will still work is passing a set of numeric values:
>
>    stmt.setObject(1, "(1, 2, 3)", Types.NUMERIC);
>

Can we pass a set of strings?  Otherwise it is a half-way solution.

stmt.setObject(1, "('a1', 'b2', 'c3')", Types.VARCHAR);

Will it be the string '('a1', 'b2', 'c3')' or the list of strings 'a1'
'b2' and 'c3'?


--
Fernando Nasser
Red Hat Canada Ltd.                     E-Mail:  fnasser@redhat.com
2323 Yonge Street, Suite #300
Toronto, Ontario   M4P 2C9

pgsql-jdbc by date:

From: Fernando Nasser
Date: 23 July 2003, 14:04:41
Subject: Re: RFC: Removal of support for JDBC1 drivers.

From: Erik Price
Date: 23 July 2003, 14:44:49
Subject: Re: RFC: Removal of support for JDBC1 drivers.

Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int) - Mailing list pgsql-jdbc

Previous

Next