| From: | Dmitry Tkach <dmitry(at)openratings(dot)com> |
|---|---|
| To: | Kim Ho <kho(at)redhat(dot)com> |
| Cc: | Fernando Nasser <fnasser(at)redhat(dot)com>, Barry Lind <blind(at)xythos(dot)com>, pgsql-jdbc-list <pgsql-jdbc(at)postgresql(dot)org> |
| Subject: | Re: Prepared Statements |
| Date: | 2003-07-18 17:53:39 |
| Message-ID: | 3F183423.9030900@openratings.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
Kim Ho wrote:
>Can't you instead use setString(1, "x'a'")?
>
Nope - that will get converted into ... where id='x\'a\'' - that won't
be understood by the backend - it wants it *exactly* that way - x
outside the quotes, followed by a quoted hexademical number...
>
>If not, this also brings up another thing. Did you want to treat "x'a'"
>as a number now?
>
Yes, I did (and still do) :-)
>
>In any case, here is a revised version of the patch. =) Thanks for the
>pointers.
>
I must be missing something, but I don't see any difference with the
previous version ....
>
>Also, the remove radix thing is not meant for preventing SQL injection.
>It is meant for this like:
>
>create function integer_in(integer) ....
>
>and then using things like select integer_in(1.11231E9)
>
I understand that. I was just saying that adding quotes around the input
doesn't help much in preventing injections, but does take away valuable
functionality...
Dima
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Kim Ho | 2003-07-18 18:03:22 | Re: Prepared Statements |
| Previous Message | Kim Ho | 2003-07-18 17:45:28 | Re: Prepared Statements |