Quick Links

Re: Patch applied for SQL Injection vulnerability for setObject(int, Object, int)

From:	Fernando Nasser <fnasser(at)redhat(dot)com>
To:	Barry Lind <blind(at)xythos(dot)com>
Cc:	Oliver Jowett <oliver(at)opencloud(dot)com>, pgsql-jdbc-list <pgsql-jdbc(at)postgresql(dot)org>, Kim Ho <kho(at)redhat(dot)com>
Subject:	Re: Patch applied for SQL Injection vulnerability for setObject(int, Object, int)
Date:	2003-07-23 12:51:41
Message-ID:	3F1E84DD.5000008@redhat.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-jdbc

Barry Lind wrote:
> Oliver,
>
> Yes that will no longer work. But syntactically it shouldn't anyway.
> You are passing a set of strings and saying the type is NUMERIC. What
> will still work is passing a set of numeric values:
>
> stmt.setObject(1, "(1, 2, 3)", Types.NUMERIC);
>

Can we pass a set of strings? Otherwise it is a half-way solution.

stmt.setObject(1, "('a1', 'b2', 'c3')", Types.VARCHAR);

Will it be the string '('a1', 'b2', 'c3')' or the list of strings 'a1'
'b2' and 'c3'?

--
Fernando Nasser
Red Hat Canada Ltd. E-Mail: fnasser(at)redhat(dot)com
2323 Yonge Street, Suite #300
Toronto, Ontario M4P 2C9

In response to

Re: Patch applied for SQL Injection vulnerability for setObject(int, Object, int) at 2003-07-22 15:53:36 from Barry Lind

Responses

Re: Patch applied for SQL Injection vulnerability for setObject(int, Object, int) at 2003-07-23 17:04:36 from Barry Lind

Browse pgsql-jdbc by date

	From	Date	Subject
Next Message	Fernando Nasser	2003-07-23 12:58:01	Re: RFC: Removal of support for JDBC1 drivers.
Previous Message	Thomas Kellerer	2003-07-23 12:01:35	Re: Please Unsubscribe me, now