Oliver Jowett <oliver@opencloud.com> writes:
> On Wed, Jul 23, 2003 at 05:30:52PM -0700, Barry Lind wrote:
>> New 7.3 and Dev builds for the driver are posted to the website. These
>> fix two additional sql injection vulnerabilities reported by Oliver
>> Jowett and Dmitry Tkach.
> Now that it's patched, the one I reported was that you could insert a
> literal \0 via setString() and friends, which the backend treated as "end of
> query", so you could use a string like this:
> "\0Qrollback;begin;insert into testquerynull(sensitive) values (42);commit\0"
> to inject your own query.
FWIW, that won't work anymore in the V3 protocol, whether or not JDBC
has been patched to reject nulls ...
regards, tom lane