| From: | Fernando Nasser <fnasser(at)redhat(dot)com> |
|---|---|
| To: | Dmitry Tkach <dmitry(at)openratings(dot)com> |
| Cc: | Barry Lind <blind(at)xythos(dot)com>, wsheldah(at)lexmark(dot)com, "pgsql-jdbc (at) postgresql (dot) org" <pgsql-jdbc(at)postgresql(dot)org> |
| Subject: | Re: Prepared Statements |
| Date: | 2003-07-18 14:38:18 |
| Message-ID: | 3F18065A.1060406@redhat.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
Dmitry Tkach wrote:
> Barry Lind wrote:
>
>> If using a PreparedStatement the driver correctly escapes all values
>> to avoid SQL injection attacks.
>
>
> No, it doesn't :-)
> For example:
>
> PreparedStatement s = c.prepareStatement ("select * from user where id =
> ?");
> s.setObject (1, "null;drop database mydatabase", Types.INTEGER);
> System.out.println (s.toString ());
>
> select * from user where id=null;drop database mydb
>
> :-)
>
I don't believe this is actually being sent to the backend, maybe it is
just a toString() bug.
The backend should get:
select * from user where id='null;drop database mydb'
(If it does not it is a bug.)
P.S.: The example case would only succeed if the DBA is an idiot.
You program should not be accessing the database (for this queries at
least) as an user who can drop databases unless it is a privileged
program for privileged users (who could do the damage using plain psql
anyway). Perhaps the injection of a 'DELETE FROM mytable' would be a
more realistic example.
--
Fernando Nasser
Red Hat Canada Ltd. E-Mail: fnasser(at)redhat(dot)com
2323 Yonge Street, Suite #300
Toronto, Ontario M4P 2C9
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Csaba Nagy | 2003-07-18 14:46:33 | Re: Prepared Statements |
| Previous Message | Csaba Nagy | 2003-07-18 14:35:51 | Re: Prepared Statements |