Re: Invalid SQL still executes valid sub transactions in Prepared Statement
| От | Paul Thomas |
|---|---|
| Тема | Re: Invalid SQL still executes valid sub transactions in Prepared Statement |
| Дата | |
| Msg-id | 20040116152639.A28319@bacon обсуждение исходный текст |
| Ответ на | Invalid SQL still executes valid sub transactions in Prepared Statement ("Tom Hargrave" <Tomh@fisher.co.uk>) |
| Список | pgsql-jdbc |
On 16/01/2004 14:04 Tom Hargrave wrote: > Details: > > If a piece of SQL is executed in a JDBC prepared statement that > includes a > semicolon and a valid piece of SQL, then the embedded valid piece of > SQL > still executes even though the overall statement is invalid. > > Example: > > select c1 from t1 order by;drop t2; c1 > > This causes security issues if the SQL is constructed from a web page > that > inputs strings that are used to construct a statement, since a hacker > can > embed SQL within a single field that executes regardless of the overall > > statement being invalid. Use java.sql.PreparedStatement instead of java.sql.Statement. The driver will safely escape the user-entered string so that SQL Injection cannot take place. Look through the archives for list (IRC last summer-ish). ISTR we had some discussion on SQL Injection and some patches to the driver were submitted. > > See article: > > http://www.computerweekly.com/articles/article.asp?liArticleID=127470&liFlavourID=1 There are undoubtably better resources on the net regarding this subject and how to avoid it as well as best-practice web application design. -- Paul Thomas +------------------------------+---------------------------------------------+ | Thomas Micro Systems Limited | Software Solutions for the Smaller Business | | Computer Consultants | http://www.thomas-micro-systems-ltd.co.uk | +------------------------------+---------------------------------------------+
В списке pgsql-jdbc по дате отправления: