Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int) - Mailing list pgsql-jdbc

From Tom Lane
Subject Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int)
Date
Msg-id 6042.1058880833@sss.pgh.pa.us
Whole thread Raw
In response to Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int)  (Oliver Jowett <oliver@opencloud.com>)
List pgsql-jdbc
Oliver Jowett <oliver@opencloud.com> writes:
> ... won't this break code that does something like this? :

>   stmt = conn.prepareStatement("SELECT * FROM table WHERE string_key IN ?");
>   stmt.setObject(1, "('a', 'b', 'c')", Types.NUMERIC);

Code that does that is just going to have to break.  We should try to
provide equivalent functionality in a less unsafe fashion; but
backwards compatibility with code that is exploiting a security hole
is not an option.

            regards, tom lane

pgsql-jdbc by date:

Previous
From: Oliver Jowett
Date:
Subject: Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int)
Next
From: Oliver Jowett
Date:
Subject: patch: make setObject(...) more consistent about the types it generates