Invalid SQL still executes valid sub transactions in Prepared Statement

From: "Tom Hargrave" <Tomh(at)fisher(dot)co(dot)uk>
To: undisclosed-recipients: ;
Subject: Invalid SQL still executes valid sub transactions in Prepared Statement
Date: 2004-01-16 14:04:06
Message-ID: s007ef62.028@mailhost.fisher.co.uk
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-jdbc

Details:

If a piece of SQL is executed in a JDBC prepared statement that
includes a
semicolon and a valid piece of SQL, then the embedded valid piece of
SQL
still executes even though the overall statement is invalid.

Example:

select c1 from t1 order by;drop t2; c1

This causes security issues if the SQL is constructed from a web page
that
inputs strings that are used to construct a statement, since a hacker
can
embed SQL within a single field that executes regardless of the overall

statement being invalid.

See article:

http://www.computerweekly.com/articles/article.asp?liArticleID=127470&liFlavourID=1

**************************************************************************************************
CONFIDENTIAL AND PRIVILEGED INFORMATION

IMPORTANT: This message is intended for the addressee only and is privileged and
confidential. If you are not the addressee, then please DO NOT read, copy or
distribute it, but reply to the sender that you received it in error and delete it. Thank
you.

Fisher Scientific U.K., Limited.

Registered Office:
Bishop Meadow Road,
Loughborough LE11 5RG
England

Registered in England No: 2883961

Responses

Browse pgsql-jdbc by date

  From Date Subject
Next Message Csaba Nagy 2004-01-16 15:03:28 Re: Invalid SQL still executes valid sub transactions
Previous Message Kris Jurka 2004-01-16 08:47:47 Re: jdbc1.AbstractJdbc1Statement.setBinaryStream bug and