From: | Paul Thomas <paul(at)tmsl(dot)demon(dot)co(dot)uk> |
---|---|
To: | Tom Hargrave <Tomh(at)fisher(dot)co(dot)uk> |
Cc: | "pgsql-jdbc (at) postgresql (dot) org" <pgsql-jdbc(at)postgresql(dot)org> |
Subject: | Re: Invalid SQL still executes valid sub transactions in Prepared Statement |
Date: | 2004-01-16 15:26:39 |
Message-ID: | 20040116152639.A28319@bacon |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-jdbc |
On 16/01/2004 14:04 Tom Hargrave wrote:
> Details:
>
> If a piece of SQL is executed in a JDBC prepared statement that
> includes a
> semicolon and a valid piece of SQL, then the embedded valid piece of
> SQL
> still executes even though the overall statement is invalid.
>
> Example:
>
> select c1 from t1 order by;drop t2; c1
>
> This causes security issues if the SQL is constructed from a web page
> that
> inputs strings that are used to construct a statement, since a hacker
> can
> embed SQL within a single field that executes regardless of the overall
>
> statement being invalid.
Use java.sql.PreparedStatement instead of java.sql.Statement. The driver
will safely escape the user-entered string so that SQL Injection cannot
take place. Look through the archives for list (IRC last summer-ish). ISTR
we had some discussion on SQL Injection and some patches to the driver
were submitted.
>
> See article:
>
> http://www.computerweekly.com/articles/article.asp?liArticleID=127470&liFlavourID=1
There are undoubtably better resources on the net regarding this subject
and how to avoid it as well as best-practice web application design.
--
Paul Thomas
+------------------------------+---------------------------------------------+
| Thomas Micro Systems Limited | Software Solutions for the Smaller
Business |
| Computer Consultants |
http://www.thomas-micro-systems-ltd.co.uk |
+------------------------------+---------------------------------------------+
From | Date | Subject | |
---|---|---|---|
Next Message | Alessandro Depase | 2004-01-16 15:43:00 | getTables or code problem? |
Previous Message | Csaba Nagy | 2004-01-16 15:03:28 | Re: Invalid SQL still executes valid sub transactions |