| From: | Richard Huxton <dev(at)archonet(dot)com> |
|---|---|
| To: | "PostgreSQL Bugs List" <pgsql-bugs(at)postgresql(dot)org> |
| Cc: | tomh(at)fisher(dot)co(dot)uk |
| Subject: | Re: BUG #1049: Invalid SQL Executed as JDBC Prepared Statement still executes embedded SQL |
| Date: | 2004-01-14 15:15:31 |
| Message-ID: | 200401141515.31291.dev@archonet.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Wednesday 14 January 2004 12:48, PostgreSQL Bugs List wrote:
> The following bug has been logged online:
>
> Bug reference: 1049
> Logged by: Tom Hargrave
> Email address: tomh(at)fisher(dot)co(dot)uk
> Description: Invalid SQL Executed as JDBC Prepared Statement still
> executes embedded SQL
> select c1 from t1 order by;drop t2; c1
Does JDBC not include the ability to escape supplied parameters so "dangerous"
characters are handled properly? Or are you saying that it fails to deal with
semicolons?
> This causes security issues if the SQL is constructed from a web page that
> inputs strings that are used to construct a statement, since a hacker can
> embed SQL within a single field that executes regardless of the overall
> statement being invalid.
NEVER allow unchecked data from an untrusted user into your system. This is
standard security practice.
--
Richard Huxton
Archonet Ltd
| From | Date | Subject | |
|---|---|---|---|
| Next Message | PostgreSQL Bugs List | 2004-01-15 04:29:46 | BUG #1050: cannot restore db at postgresql 7.4.1 |
| Previous Message | PostgreSQL Bugs List | 2004-01-14 12:48:04 | BUG #1049: Invalid SQL Executed as JDBC Prepared Statement still executes embedded SQL |