Oliver,
Yes that will no longer work. But syntactically it shouldn't anyway.
You are passing a set of strings and saying the type is NUMERIC. What
will still work is passing a set of numeric values:
stmt.setObject(1, "(1, 2, 3)", Types.NUMERIC);
thanks,
--Barry
Oliver Jowett wrote:
> On Mon, Jul 21, 2003 at 10:49:14PM -0700, Barry Lind wrote:
>
>
>>Given the ongoing discussion that this SQL injection vulnerability has
>>caused, I decided not to apply the below patch from Kim and instead
>>fixed the problem in a different way. The fix essentially applies the
>>regular escaping done for setString to appropriate values passed to
>>setObject. It does not however add quotes to the value. Thus existing
>>uses of setObject for in clause and array type values will still
>>continue to work.
>
>
> I haven't looked at the updated tree yet, but from your description won't
> this break code that does something like this? :
>
> stmt = conn.prepareStatement("SELECT * FROM table WHERE string_key IN ?");
> stmt.setObject(1, "('a', 'b', 'c')", Types.NUMERIC);
>
> -O
>