| From: | "Peter Kovacs" <peter(dot)kovacs(at)sysdata(dot)siemens(dot)hu> |
|---|---|
| To: | <nferrier(at)tapsellferrier(dot)co(dot)uk> |
| Cc: | <pgsql-jdbc(at)postgresql(dot)org>, "Toby" <toby(at)paperjet(dot)com> |
| Subject: | Re: [GENERAL] Prepared statement performance... |
| Date: | 2002-10-14 10:03:05 |
| Message-ID: | 03df01c27368$e72e9d20$55550a8b@ACER |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general pgsql-jdbc |
Thank you. So I think herewith we made pointless the original arguement Curt
Sampson made in his mail in support Barry's twisted interpretation of
PreparedStatement.
Peter
PS:
When I am travelling in Budapest (capital of Hungary, my country) on the
bus, and some exhausted poor elderly tries to sheepishly argument with some
youngsters occupying recklessly the last seat in the bus leaving the elderly
standing, I always tempted to cynically tell the upset elderly: "This public
transport my lady. If you wish first class service, you should take a taxi."
Of course, I never say this, because it would be a sign of very bad taste.
But I often giving *myself* this kind of rebuff when I am surfing on open
source mailing lists and find people saying this and that without giving a
shit to think about it first or --more importantly-- to think about the
context they're making their remarks: "My dear, this is public transport,
worth the money you pay for it."
The above was meant to be humorous.
----- Original Message -----
From: <nferrier(at)tapsellferrier(dot)co(dot)uk>
To: "Peter Kovacs" <peter(dot)kovacs(at)sysdata(dot)siemens(dot)hu>
Cc: <pgsql-jdbc(at)postgresql(dot)org>; "Toby" <toby(at)paperjet(dot)com>
Sent: Monday, October 14, 2002 11:20 AM
Subject: Re: [JDBC] [GENERAL] Prepared statement performance...
> "Peter Kovacs" <peter(dot)kovacs(at)sysdata(dot)siemens(dot)hu> writes:
>
> > Thank you for your explanation. But I still do not see how
> > > INSERT INTO Users (username) VALUES ('joe'; DROP TABLE
users');
> > will be evaluated so that it drops table 'users'. Actually, this should
> > evaluate to a syntax error, shouldn't it?
>
> That's right. I think toby is mistaking the classic javascript hack
> for a SQL hack.
>
> The JS hack is possible because developers rarely use strong
> validation for input fields, thus allowing JS statements into the
> database. When these are presented on webpages they can get up to all
> sorts of tricks and wheezes.
>
> I've never heard of a SQL hack based on input fields, it seems most
> unlikely but something could probably be done based on stored procs,
> the hacker would have to have intimiate knowledge of the stored procs
> and would also have to find one that would do something dangerous.
>
>
> Nic
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | nferrier | 2002-10-14 10:03:38 | Re: [GENERAL] Prepared statement performance... |
| Previous Message | Toby | 2002-10-14 09:47:16 | Re: [GENERAL] Prepared statement performance... |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | nferrier | 2002-10-14 10:03:38 | Re: [GENERAL] Prepared statement performance... |
| Previous Message | Toby | 2002-10-14 09:47:16 | Re: [GENERAL] Prepared statement performance... |