Thread: BUG #1049: Invalid SQL Executed as JDBC Prepared Statement still executes embedded SQL
BUG #1049: Invalid SQL Executed as JDBC Prepared Statement still executes embedded SQL
From
"PostgreSQL Bugs List"
Date:
The following bug has been logged online: Bug reference: 1049 Logged by: Tom Hargrave Email address: tomh@fisher.co.uk PostgreSQL version: 7.3.2 Operating system: Linux Description: Invalid SQL Executed as JDBC Prepared Statement still executes embedded SQL Details: If a piece of SQL is executed in a JDBC prepared statement that includes a semicolon and a valid piece of SQL, then the embedded valid piece of SQL still executes even though the overall statement is invalid. Example: select c1 from t1 order by;drop t2; c1 This causes security issues if the SQL is constructed from a web page that inputs strings that are used to construct a statement, since a hacker can embed SQL within a single field that executes regardless of the overall statement being invalid. See article: http://www.computerweekly.com/articles/article.asp?liArticleID=127470&liFla vourID=1
Re: BUG #1049: Invalid SQL Executed as JDBC Prepared Statement still executes embedded SQL
From
Richard Huxton
Date:
On Wednesday 14 January 2004 12:48, PostgreSQL Bugs List wrote: > The following bug has been logged online: > > Bug reference: 1049 > Logged by: Tom Hargrave > Email address: tomh@fisher.co.uk > Description: Invalid SQL Executed as JDBC Prepared Statement still > executes embedded SQL > select c1 from t1 order by;drop t2; c1 Does JDBC not include the ability to escape supplied parameters so "dangerous" characters are handled properly? Or are you saying that it fails to deal with semicolons? > This causes security issues if the SQL is constructed from a web page that > inputs strings that are used to construct a statement, since a hacker can > embed SQL within a single field that executes regardless of the overall > statement being invalid. NEVER allow unchecked data from an untrusted user into your system. This is standard security practice. -- Richard Huxton Archonet Ltd