Thread: SQL injection bug for null-terminated strings?

SQL injection bug for null-terminated strings?

From

joe user

Date:

01 September 2003, 04:02:27

From looking at some logs, it looks like there might
be an SQL injection bug with null-terminated strings.
Is this a known problem?  If it is not, I will try to
write a test program to trigger it.

Thanks for any info.


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

Re: SQL injection bug for null-terminated strings?

From

Kris Jurka

Date:

01 September 2003, 10:32:56


On Sun, 31 Aug 2003, joe user wrote:

> >From looking at some logs, it looks like there might
> be an SQL injection bug with null-terminated strings.
> Is this a known problem?  If it is not, I will try to
> write a test program to trigger it.
>

This has been fixed in the development version of the driver.

See the following, check revision 1.29


http://developer.postgresql.org/cvsweb.cgi/pgsql-server/src/interfaces/jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java

Kris Jurka

Re: SQL injection bug for null-terminated strings?

From

Barry Lind

Date:

01 September 2003, 22:46:47

Also patched into the latest 7.3 build.

--Barry

Kris Jurka wrote:
>
> On Sun, 31 Aug 2003, joe user wrote:
>
>
>>From looking at some logs, it looks like there might
>>be an SQL injection bug with null-terminated strings.
>>Is this a known problem?  If it is not, I will try to
>>write a test program to trigger it.
>>
>
>
> This has been fixed in the development version of the driver.
>
> See the following, check revision 1.29
>
>
http://developer.postgresql.org/cvsweb.cgi/pgsql-server/src/interfaces/jdbc/org/postgresql/jdbc1/AbstractJdbc1Statement.java
>
> Kris Jurka
>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org
>