Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int)

Поиск
Список
Период
Сортировка
От Tom Lane
Тема Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int)
Дата
Msg-id 6042.1058880833@sss.pgh.pa.us
обсуждение исходный текст
Ответ на Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int)  (Oliver Jowett <oliver@opencloud.com>)
Список pgsql-jdbc
Дерево обсуждения 
Oliver Jowett <oliver@opencloud.com> writes:
> ... won't this break code that does something like this? :

>   stmt = conn.prepareStatement("SELECT * FROM table WHERE string_key IN ?");
>   stmt.setObject(1, "('a', 'b', 'c')", Types.NUMERIC);

Code that does that is just going to have to break.  We should try to
provide equivalent functionality in a less unsafe fashion; but
backwards compatibility with code that is exploiting a security hole
is not an option.

            regards, tom lane

В списке pgsql-jdbc по дате отправления:

Предыдущее
От: Oliver Jowett
Дата:
Сообщение: Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int)
Следующее
От: Oliver Jowett
Дата:
Сообщение: patch: make setObject(...) more consistent about the types it generates