Re: [GENERAL] Prepared statement performance... - Mailing list pgsql-jdbc

From nferrier@tapsellferrier.co.uk
Subject Re: [GENERAL] Prepared statement performance...
Date
Msg-id ur8etpeai.fsf@tapsellferrier.co.uk
Whole thread Raw
In response to Re: [GENERAL] Prepared statement performance...  ("Peter Kovacs" <peter.kovacs@sysdata.siemens.hu>)
List pgsql-jdbc
"Peter Kovacs" <peter.kovacs@sysdata.siemens.hu> writes:

> Thank you for your explanation. But I still do not see how
> >          INSERT INTO Users (username) VALUES ('joe'; DROP TABLE users');
> will be evaluated so that it drops table 'users'. Actually, this should
> evaluate to a syntax error, shouldn't it?

That's right. I think toby is mistaking the classic javascript hack
for a SQL hack.

The JS hack is possible because developers rarely use strong
validation for input fields, thus allowing JS statements into the
database. When these are presented on webpages they can get up to all
sorts of tricks and wheezes.

I've never heard of a SQL hack based on input fields, it seems most
unlikely but something could probably be done based on stored procs,
the hacker would have to have intimiate knowledge of the stored procs
and would also have to find one that would do something dangerous.


Nic

pgsql-jdbc by date:

Previous
From: "Peter Kovacs"
Date:
Subject: Re: [GENERAL] Prepared statement performance...
Next
From: Toby
Date:
Subject: Re: [GENERAL] Prepared statement performance...