| From: | "PostgreSQL Bugs List" <pgsql-bugs(at)postgresql(dot)org> |
|---|---|
| To: | pgsql-bugs(at)postgresql(dot)org |
| Subject: | BUG #1049: Invalid SQL Executed as JDBC Prepared Statement still executes embedded SQL |
| Date: | 2004-01-14 12:48:04 |
| Message-ID: | 20040114124804.0D1E2CF4A06@www.postgresql.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
The following bug has been logged online:
Bug reference: 1049
Logged by: Tom Hargrave
Email address: tomh(at)fisher(dot)co(dot)uk
PostgreSQL version: 7.3.2
Operating system: Linux
Description: Invalid SQL Executed as JDBC Prepared Statement still
executes embedded SQL
Details:
If a piece of SQL is executed in a JDBC prepared statement that includes a
semicolon and a valid piece of SQL, then the embedded valid piece of SQL
still executes even though the overall statement is invalid.
Example:
select c1 from t1 order by;drop t2; c1
This causes security issues if the SQL is constructed from a web page that
inputs strings that are used to construct a statement, since a hacker can
embed SQL within a single field that executes regardless of the overall
statement being invalid.
See article:
http://www.computerweekly.com/articles/article.asp?liArticleID=127470&liFla
vourID=1
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Richard Huxton | 2004-01-14 15:15:31 | Re: BUG #1049: Invalid SQL Executed as JDBC Prepared Statement still executes embedded SQL |
| Previous Message | ezra epstein | 2004-01-13 21:35:53 | Re: I find a bug (IMHO) |