Re: [INTERFACES] New code for JDBC driver

Similar problems can arise even if the end user has no bad intentions. In
the example Arsanal mentioned, what if Sinead O'Connor is a user? Wouldn't
this result in the following query?

update users set name='Sinead O'Connor

which gives the error:

ERROR:  parser: parse error at or near "connor"

So I guess a solution would be to escape *quotes* and not *semicolons out of
quotes*, which is the solution I use in my programs and on which comments
are invited . This also prevents the malicious use Arsanal is talking about,
doesn't it?

However the PreparedStatement solution (which I haven't tried) seems to be
more elegant.

This thing seems pretty elementary. Isn't it covered in a FAQ somewhere?


----- Original Message -----
From: Barry Lind <barry@xythos.com>
To: Arsalan Zaidi <azaidi@directi.com>
Cc: PostgreSQL jdbc list <pgsql-jdbc@postgresql.org>
Sent: Tuesday, July 03, 2001 6:18 PM
Subject: Re: [INTERFACES] New code for JDBC driver


>
> Now to your situation.  The obvious solution is to use prepared
> statements in your middle tier having the client provide the values from
> the text fields to be bound into the query.
>
>  > "update users set name='"+name+"'"
>
> So the client sends you the 'name' value and the middle tier uses a
> preparedstatement to bind that value to the update.

>
> Arsalan Zaidi wrote:
>
> > I agree that it probably is. Unfortunately, as I mentioned in my
previous
> > post,no one is going to be entering in SQL queries directly through our
> > interface. We're not doing it and if someone is, he's up to no good.
e.g.
> >
> > "update users set name='"+name+"'"
> >
> > If there's a text box in which you enter your name for the first query,
I
> > can some fun if I enter in
> >
> > Arsalan';update funds set money = 100000 where userid =10
> >