| From: | Peter Kovacs <peter(dot)kovacs(at)siemens(dot)com> |
|---|---|
| To: | pgsql-jdbc-list <pgsql-jdbc(at)postgresql(dot)org> |
| Subject: | Re: Prepared Statements |
| Date: | 2003-07-22 07:48:36 |
| Message-ID: | 3F1CEC54.4050302@siemens.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
Tom Lane wrote:
>Peter Kovacs <peter(dot)kovacs(at)siemens(dot)com> writes:
>
>
>>I think that the simplest thing would be to have an option in the
>>backend to disable processing of multiple statements in one query --
>>i.e. disallow the use of ';' as a separator of statements.
>>
>>
>
>FWIW, the new "extended query" protocol has exactly such a restriction.
>However that hardly excuses any sloppiness in allowing
>non-syntax-checked parameter values through. Consider changing
>"WHERE x < ?" to
>"WHERE x < 42 AND my_function_with_interesting_side_effects()"
>
>No semicolons in sight, but I can still clean out your bank balance ;-)
>
...and it would serve me right :(.
BTW, I presume that one can deny a user the right to create stored
procedures in PostgreSQL. Anyway, I now recognize that the issue is more
complicated than allowing';'.
Regards,
Peter
>
> regards, tom lane
>
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Paul Thomas | 2003-07-22 08:34:10 | Re: IN clauses via setObject(Collection) [Was: Re: Prepared |
| Previous Message | Oliver Jowett | 2003-07-22 06:35:04 | Re: Patch applied for SQL Injection vulnerability for setObject(int, Object, int) |