Skip site navigation (1) Skip section navigation (2)

BUG #1049: Invalid SQL Executed as JDBC Prepared Statement still executes embedded SQL

From: "PostgreSQL Bugs List" <pgsql-bugs(at)postgresql(dot)org>
To: pgsql-bugs(at)postgresql(dot)org
Subject: BUG #1049: Invalid SQL Executed as JDBC Prepared Statement still executes embedded SQL
Date: 2004-01-14 12:48:04
Message-ID: 20040114124804.0D1E2CF4A06@www.postgresql.com (view raw or flat)
Thread:
Lists: pgsql-bugs
The following bug has been logged online:

Bug reference:      1049
Logged by:          Tom Hargrave

Email address:      tomh(at)fisher(dot)co(dot)uk

PostgreSQL version: 7.3.2

Operating system:   Linux

Description:        Invalid SQL Executed as JDBC Prepared Statement still 
executes embedded SQL 

Details: 

If a piece of SQL is executed in a JDBC prepared statement that includes a 
semicolon and a valid piece of SQL, then the embedded valid piece of SQL 
still executes even though the overall statement is invalid. 

Example: 

select c1 from t1 order by;drop t2; c1

This causes security issues if the SQL is constructed from a web page that 
inputs strings that are used to construct a statement, since a hacker can 
embed SQL within a single field that executes regardless of the overall 
statement being invalid. 

See article:

http://www.computerweekly.com/articles/article.asp?liArticleID=127470&liFla
vourID=1 


Responses

pgsql-bugs by date

Next:From: Richard HuxtonDate: 2004-01-14 15:15:31
Subject: Re: BUG #1049: Invalid SQL Executed as JDBC Prepared Statement still executes embedded SQL
Previous:From: ezra epsteinDate: 2004-01-13 21:35:53
Subject: Re: I find a bug (IMHO)

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group