On Mon, Jul 21, 2003 at 10:49:14PM -0700, Barry Lind wrote:
> Given the ongoing discussion that this SQL injection vulnerability has
> caused, I decided not to apply the below patch from Kim and instead
> fixed the problem in a different way. The fix essentially applies the
> regular escaping done for setString to appropriate values passed to
> setObject. It does not however add quotes to the value. Thus existing
> uses of setObject for in clause and array type values will still
> continue to work.
I haven't looked at the updated tree yet, but from your description won't
this break code that does something like this? :
stmt = conn.prepareStatement("SELECT * FROM table WHERE string_key IN ?");
stmt.setObject(1, "('a', 'b', 'c')", Types.NUMERIC);
-O