Home > mailing lists

Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int) - Mailing list pgsql-jdbc

From	Barry Lind
Subject	Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int)
Date	August 8, 2003 03:45:39
Msg-id	3F32CC01.4030900@xythos.com Whole thread Raw
In response to	Re: Prepared Statements (wsheldah@lexmark.com)
List	pgsql-jdbc

Tree view

I have commited a change that completely removes the ability to pass
anything other than a numeric value when using the setObject() calls for
types that claim to be numeric.  As Dmitry has pointed out any desire to
maintain the support for allowing "where ... in (?)" and being able to
pass a list of values for that single bind variable if flawed.  So the
latest patch completely closes the sql injection vulnerability by
preventing this not standard behavior.

thanks,
--Barry

Dmitry Tkach wrote:
>
> Ok... What about:
> select * from users where id in ?
> setObject (1, "(select setval ('users_id_seq', 1)"); //to screw up the
> PK sequence
>
> or...
>
> setObject (1, "(1) or true"); //to get a list of all the users and
> passwords
>
> or...
>
> setObject (1, "(1) union all select * from secret_table");
>

pgsql-jdbc by date:

From: Barry Lind
Date: 07 August 2003, 21:30:55
Subject: Re: executeQuery

From: Jesus Sandoval
Date: 08 August 2003, 06:57:43
Subject: Re: Server side resultset search (for performance reasons)

Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int) - Mailing list pgsql-jdbc

Previous

Next