Re: Prepared Statements - Mailing list pgsql-jdbc

From wsheldah@lexmark.com
Subject Re: Prepared Statements
Date
Msg-id OF69448676.5816D221-ON85256D67.0052BF5D@lexmark.com
Whole thread Raw
In response to Prepared Statements  (Julien Le Goff <julien.legoff@laposte.net>)
Responses Re: Prepared Statements
List pgsql-jdbc
If it only skips the escaping for numeric types, the obvious workaround
would be first put the user's entry into an int variable:

int userId = getUserId();
PreparedStatement s = c.prepareStatement ("select * from user where id
= ?");
s.setObject(1, userId, Types.INTEGER);

That way you use java's built-in type checking to avoid sending non-numeric
data to the backend any time you're specifying a numeric type that will
skip the escaping.

Can someone confirm that it at least does do the escaping for
string/varchar inputs?

Wes Sheldahl



Csaba Nagy <nagy@ecircle-ag.com>@postgresql.org on 07/18/2003 10:46:33 AM

Sent by:    pgsql-jdbc-owner@postgresql.org


To:    Fernando Nasser <fnasser@redhat.com>
cc:    Dmitry Tkach <dmitry@openratings.com>, Barry Lind
       <blind@xythos.com>, wsheldah@lexmark.com, "pgsql-jdbc @ postgresql
       " ". org" <pgsql-jdbc@postgresql.org>
Subject:    Re: [JDBC] Prepared Statements


I have checked, the query is indeed sent like that to the backend, I've
just checked.
It is a bug.
Presumably for number types the parameter set is passed as it is,
without any escaping.

Cheers,
Csaba.


On Fri, 2003-07-18 at 16:38, Fernando Nasser wrote:
> Dmitry Tkach wrote:
> > Barry Lind wrote:
> >
> >> If using a PreparedStatement the driver correctly escapes all values
> >> to avoid SQL injection attacks.
> >
> >
> > No, it doesn't :-)
> > For example:
> >
> > PreparedStatement s = c.prepareStatement ("select * from user where id
=
> > ?");
> > s.setObject (1, "null;drop database mydatabase", Types.INTEGER);
> > System.out.println (s.toString ());
> >
> > select * from user where id=null;drop database mydb
> >
> > :-)
> >
>
> I don't believe this is actually being sent to the backend, maybe it is
> just a toString() bug.
>
> The backend should get:
>
> select * from user where id='null;drop database mydb'
>
> (If it does not it is a bug.)
>
>
> P.S.: The example case would only succeed if the DBA is an idiot.
> You program should not be accessing the database (for this queries at
> least) as an user who can drop databases unless it is a privileged
> program for privileged users (who could do the damage using plain psql
> anyway).  Perhaps the injection of a 'DELETE FROM mytable' would be a
> more realistic example.
>
>
> --
> Fernando Nasser
> Red Hat Canada Ltd.                     E-Mail:  fnasser@redhat.com
> 2323 Yonge Street, Suite #300
> Toronto, Ontario   M4P 2C9
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 8: explain analyze is your friend
>



---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
      subscribe-nomail command to majordomo@postgresql.org so that your
       message can get through to the mailing list cleanly





pgsql-jdbc by date:

Previous
From: Csaba Nagy
Date:
Subject: Re: Prepared Statements
Next
From: Kim Ho
Date:
Subject: Re: Prepared Statements