Home > mailing lists

Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int) - Mailing list pgsql-jdbc

From	Tom Lane
Subject	Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int)
Date	July 22, 2003 13:49:41
Msg-id	6042.1058880833@sss.pgh.pa.us Whole thread Raw
In response to	Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int) (Oliver Jowett <oliver@opencloud.com>)
List	pgsql-jdbc

Tree view

Oliver Jowett <oliver@opencloud.com> writes:
> ... won't this break code that does something like this? :

>   stmt = conn.prepareStatement("SELECT * FROM table WHERE string_key IN ?");
>   stmt.setObject(1, "('a', 'b', 'c')", Types.NUMERIC);

Code that does that is just going to have to break.  We should try to
provide equivalent functionality in a less unsafe fashion; but
backwards compatibility with code that is exploiting a security hole
is not an option.

            regards, tom lane

pgsql-jdbc by date:

From: Oliver Jowett
Date: 22 July 2003, 13:46:17
Subject: Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int)

From: Oliver Jowett
Date: 22 July 2003, 13:51:45
Subject: patch: make setObject(...) more consistent about the types it generates

Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int) - Mailing list pgsql-jdbc

Previous

Next