Skip site navigation (1) Skip section navigation (2)

Re: Invalid SQL still executes valid sub transactions in Prepared Statement

From: Paul Thomas <paul(at)tmsl(dot)demon(dot)co(dot)uk>
To: Tom Hargrave <Tomh(at)fisher(dot)co(dot)uk>
Cc: "pgsql-jdbc (at) postgresql (dot) org" <pgsql-jdbc(at)postgresql(dot)org>
Subject: Re: Invalid SQL still executes valid sub transactions in Prepared Statement
Date: 2004-01-16 15:26:39
Message-ID: 20040116152639.A28319@bacon (view raw or flat)
Thread:
Lists: pgsql-jdbc
On 16/01/2004 14:04 Tom Hargrave wrote:
> Details:
> 
> If a piece of SQL is executed in a JDBC prepared statement that
> includes a
> semicolon and a valid piece of SQL, then the embedded valid piece of
> SQL
> still executes even though the overall statement is invalid.
> 
> Example:
> 
> select c1 from t1 order by;drop t2; c1
> 
> This causes security issues if the SQL is constructed from a web page
> that
> inputs strings that are used to construct a statement, since a hacker
> can
> embed SQL within a single field that executes regardless of the overall
> 
> statement being invalid.

Use java.sql.PreparedStatement instead of java.sql.Statement. The driver 
will safely escape the user-entered string so that SQL Injection cannot 
take place. Look through the archives for list (IRC last summer-ish). ISTR 
we had some discussion on SQL Injection and some patches to the driver 
were submitted.

> 
> See article:
> 
> http://www.computerweekly.com/articles/article.asp?liArticleID=127470&liFlavourID=1

There are undoubtably better resources on the net regarding this subject 
and how to avoid it as well as best-practice web application design.


-- 
Paul Thomas
+------------------------------+---------------------------------------------+
| Thomas Micro Systems Limited | Software Solutions for the Smaller 
Business |
| Computer Consultants         | 
http://www.thomas-micro-systems-ltd.co.uk   |
+------------------------------+---------------------------------------------+

In response to

pgsql-jdbc by date

Next:From: Alessandro DepaseDate: 2004-01-16 15:43:00
Subject: getTables or code problem?
Previous:From: Csaba NagyDate: 2004-01-16 15:03:28
Subject: Re: Invalid SQL still executes valid sub transactions

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group