Re: Invalid SQL still executes valid sub transactions

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Csaba Nagy <nagy(at)ecircle-ag(dot)com>
Cc: Tom Hargrave <Tomh(at)fisher(dot)co(dot)uk>, Postgres JDBC <pgsql-jdbc(at)postgresql(dot)org>
Subject: Re: Invalid SQL still executes valid sub transactions
Date: 2004-01-16 16:06:26
Message-ID: 201.1074269186@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-jdbc

Csaba Nagy <nagy(at)ecircle-ag(dot)com> writes:
> The JDBC driver should not do any parsing of the SQL code in the first
> place. That's the job of the server, so only the server can tell it's an
> invalid statemnt.
> And the server will interpret it as 3 different statements, treating
> them independently, and 2 of them will be invalid, and one will execute
> correctly...

But if the three statements are sent as a single query string, a failure
in any one will cause all three to be rolled back. The complaint
suggests to me that JDBC *is* parsing the code, at least to the extent
of separating the statements. Probably it should not.

Now, the real answer to the security aspect of this is "you should be
more careful about quoting strings from untrusted sources". (Parameters
are just one way to do that.) But I am curious to understand what
exactly JDBC is doing with a multi-statement query string.

regards, tom lane

In response to

Responses

Browse pgsql-jdbc by date

  From Date Subject
Next Message ACFUtinga 2004-01-16 17:05:11 Ajuda!
Previous Message Alessandro Depase 2004-01-16 15:43:00 getTables or code problem?