Re: Invalid SQL still executes valid sub transactions in Prepared Statement

From: Paul Thomas <paul(at)tmsl(dot)demon(dot)co(dot)uk>
To: Tom Hargrave <Tomh(at)fisher(dot)co(dot)uk>
Cc: "pgsql-jdbc (at) postgresql (dot) org" <pgsql-jdbc(at)postgresql(dot)org>
Subject: Re: Invalid SQL still executes valid sub transactions in Prepared Statement
Date: 2004-01-16 15:26:39
Message-ID: 20040116152639.A28319@bacon
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-jdbc


On 16/01/2004 14:04 Tom Hargrave wrote:
> Details:
>
> If a piece of SQL is executed in a JDBC prepared statement that
> includes a
> semicolon and a valid piece of SQL, then the embedded valid piece of
> SQL
> still executes even though the overall statement is invalid.
>
> Example:
>
> select c1 from t1 order by;drop t2; c1
>
> This causes security issues if the SQL is constructed from a web page
> that
> inputs strings that are used to construct a statement, since a hacker
> can
> embed SQL within a single field that executes regardless of the overall
>
> statement being invalid.

Use java.sql.PreparedStatement instead of java.sql.Statement. The driver
will safely escape the user-entered string so that SQL Injection cannot
take place. Look through the archives for list (IRC last summer-ish). ISTR
we had some discussion on SQL Injection and some patches to the driver
were submitted.

>
> See article:
>
> http://www.computerweekly.com/articles/article.asp?liArticleID=127470&liFlavourID=1

There are undoubtably better resources on the net regarding this subject
and how to avoid it as well as best-practice web application design.

--
Paul Thomas
+------------------------------+---------------------------------------------+
| Thomas Micro Systems Limited | Software Solutions for the Smaller
Business |
| Computer Consultants |
http://www.thomas-micro-systems-ltd.co.uk |
+------------------------------+---------------------------------------------+

In response to

Browse pgsql-jdbc by date

  From Date Subject
Next Message Alessandro Depase 2004-01-16 15:43:00 getTables or code problem?
Previous Message Csaba Nagy 2004-01-16 15:03:28 Re: Invalid SQL still executes valid sub transactions