Re: bytea size limit? - Mailing list pgsql-jdbc

From Oliver Jowett
Subject Re: bytea size limit?
Date
Msg-id 407A25F7.9030602@opencloud.com
Whole thread Raw
In response to Re: bytea size limit?  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-jdbc
Tom Lane wrote:
> Oliver Jowett <oliver@opencloud.com> writes:
>
>>... using the V3 extended query protocol (this requires a number of
>>other driver changes, as at a minimum the driver will need to split up
>>queries that contain multiple statements)
>
>
> This is a bit off the thread topic, but: does the JDBC spec actually
> allow/expect multiple SQL commands in a query?  Some people thought that
> the V3 restriction to one command per query string was a Good Thing
> because it helps guard against SQL-injection attacks when an application
> is careless about inserting untrustworthy text into a command string.
> If you don't have a spec requirement to cope with this, then I'd advise
> against adding code to support it.

I don't think there's such a requirement. The JDBC spec is vague, but
Sun's JDBC tutorial says:

===
This code does not end with a DBMS statement terminator, which can vary
from DBMS to DBMS. For example, Oracle uses a semicolon (;) to indicate
the end of a statement, and Sybase uses the word go . The driver you are
using will automatically supply the appropriate statement terminator,
and you will not need to include it in your JDBC code.
===

That said, executing multiple commands in a query seems quite common,
and works ok with the current driver. I'd be reluctant to break existing
apps by forbidding it.

Also, the JDBC spec recommends:

===
Drivers should provide access to every feature implemented by the
underlying data source, including features that extend the JDBC API.
When a feature is not supported, the corresponding methods throw an
SQLException. The intent is for applications using the JDBC API to have
access to the same feature set as native applications.
===

-O

pgsql-jdbc by date:

Previous
From: Tom Lane
Date:
Subject: Re: bytea size limit?
Next
From: "scott.marlowe"
Date:
Subject: Re: PostgreSQL and MySql