The following bug has been logged online:
Bug reference: 1049
Logged by: Tom Hargrave
Email address: tomh@fisher.co.uk
PostgreSQL version: 7.3.2
Operating system: Linux
Description: Invalid SQL Executed as JDBC Prepared Statement still
executes embedded SQL
Details:
If a piece of SQL is executed in a JDBC prepared statement that includes a
semicolon and a valid piece of SQL, then the embedded valid piece of SQL
still executes even though the overall statement is invalid.
Example:
select c1 from t1 order by;drop t2; c1
This causes security issues if the SQL is constructed from a web page that
inputs strings that are used to construct a statement, since a hacker can
embed SQL within a single field that executes regardless of the overall
statement being invalid.
See article:
http://www.computerweekly.com/articles/article.asp?liArticleID=127470&liFla
vourID=1