| From: | Curt Sampson <cjs(at)cynic(dot)net> |
|---|---|
| To: | Peter Kovacs <peter(dot)kovacs(at)sysdata(dot)siemens(dot)hu> |
| Cc: | pgsql-general(at)postgresql(dot)org, <pgsql-jdbc(at)postgresql(dot)org> |
| Subject: | Re: [JDBC] Prepared statement performance... |
| Date: | 2002-10-16 06:06:30 |
| Message-ID: | Pine.NEB.4.44.0210161502470.8619-100000@angelic.cynic.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general pgsql-jdbc |
On Mon, 14 Oct 2002, Peter Kovacs wrote:
> I do not clearly understand what the problem is with someone typing in
> "foo'; DROP TABLE bar;" into the "Name" field on your web form.
If you do just a dumb string concatination, it can insert arbitrary
commands into your conversation with the postgres database. E.g.,
your code does this to construct the query:
"SELECT id FROM users WHERE name = '" + name + '"'"
and name, taken directly from the input field, is
foo'; DROP TABLE users; SELECT 'foo
Your query ends up being:
SELECT id FROM users WHERE name = 'foo'; DROP TABLE users; SELECT 'foo';
cjs
--
Curt Sampson <cjs(at)cynic(dot)net> +81 90 7737 2974 http://www.netbsd.org
Don't you know, in this new Dark Age, we're all light. --XTC
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Shridhar Daithankar | 2002-10-16 06:36:29 | Re: Sizing and striping log area |
| Previous Message | Andrew Bartley | 2002-10-16 04:45:39 | ERROR: _mdfd_getrelnfd: cannot open relation pg_temp_15300_53: No such file or directory |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jean-Christian Imbeault | 2002-10-16 07:27:42 | getXXX(): Null Pointer Exception |
| Previous Message | jonerf1 | 2002-10-16 04:26:14 | blob load in 7.2.3 |