Thread: BUG #1049: Invalid SQL Executed as JDBC Prepared Statement still executes embedded SQL

The following bug has been logged online:

Bug reference:      1049
Logged by:          Tom Hargrave

Email address:      tomh@fisher.co.uk

PostgreSQL version: 7.3.2

Operating system:   Linux

Description:        Invalid SQL Executed as JDBC Prepared Statement still
executes embedded SQL

Details:

If a piece of SQL is executed in a JDBC prepared statement that includes a
semicolon and a valid piece of SQL, then the embedded valid piece of SQL
still executes even though the overall statement is invalid.

Example:

select c1 from t1 order by;drop t2; c1

This causes security issues if the SQL is constructed from a web page that
inputs strings that are used to construct a statement, since a hacker can
embed SQL within a single field that executes regardless of the overall
statement being invalid.

See article:

http://www.computerweekly.com/articles/article.asp?liArticleID=127470&liFla
vourID=1

On Wednesday 14 January 2004 12:48, PostgreSQL Bugs List wrote:
> The following bug has been logged online:
>
> Bug reference:      1049
> Logged by:          Tom Hargrave
> Email address:      tomh@fisher.co.uk

> Description:        Invalid SQL Executed as JDBC Prepared Statement still
> executes embedded SQL

> select c1 from t1 order by;drop t2; c1

Does JDBC not include the ability to escape supplied parameters so "dangerous"
characters are handled properly? Or are you saying that it fails to deal with
semicolons?

> This causes security issues if the SQL is constructed from a web page that
> inputs strings that are used to construct a statement, since a hacker can
> embed SQL within a single field that executes regardless of the overall
> statement being invalid.

NEVER allow unchecked data from an untrusted user into your system. This is
standard security practice.

--
  Richard Huxton
  Archonet Ltd