| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Peter Kovacs <peter(dot)kovacs(at)siemens(dot)com> |
| Cc: | Fernando Nasser <fnasser(at)redhat(dot)com>, Dima Tkach <dmitry(at)openratings(dot)com>, Oliver Jowett <oliver(at)opencloud(dot)com>, Kim Ho <kho(at)redhat(dot)com>, Barry Lind <blind(at)xythos(dot)com>, pgsql-jdbc-list <pgsql-jdbc(at)postgresql(dot)org>, Dave Cramer <Dave(at)micro-automation(dot)net> |
| Subject: | Re: Prepared Statements |
| Date: | 2003-07-22 05:56:03 |
| Message-ID: | 3944.1058853363@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
Peter Kovacs <peter(dot)kovacs(at)siemens(dot)com> writes:
> I think that the simplest thing would be to have an option in the
> backend to disable processing of multiple statements in one query --
> i.e. disallow the use of ';' as a separator of statements.
FWIW, the new "extended query" protocol has exactly such a restriction.
However that hardly excuses any sloppiness in allowing
non-syntax-checked parameter values through. Consider changing
"WHERE x < ?" to
"WHERE x < 42 AND my_function_with_interesting_side_effects()"
No semicolons in sight, but I can still clean out your bank balance ;-)
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Oliver Jowett | 2003-07-22 06:35:04 | Re: Patch applied for SQL Injection vulnerability for setObject(int, Object, int) |
| Previous Message | Kris Jurka | 2003-07-22 05:52:20 | Re: Prepared Statements |