| From: | Fernando Nasser <fnasser(at)redhat(dot)com> |
|---|---|
| To: | Barry Lind <blind(at)xythos(dot)com> |
| Cc: | Oliver Jowett <oliver(at)opencloud(dot)com>, pgsql-jdbc-list <pgsql-jdbc(at)postgresql(dot)org>, Kim Ho <kho(at)redhat(dot)com> |
| Subject: | Re: Patch applied for SQL Injection vulnerability for setObject(int, Object, int) |
| Date: | 2003-07-23 17:22:32 |
| Message-ID: | 3F1EC458.90301@redhat.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
Barry Lind wrote:
>
>
> Fernando Nasser wrote:
>
>> Barry Lind wrote:
>>
>>> Oliver,
>>>
>>> Yes that will no longer work. But syntactically it shouldn't anyway.
>>> You are passing a set of strings and saying the type is NUMERIC.
>>> What will still work is passing a set of numeric values:
>>>
>>> stmt.setObject(1, "(1, 2, 3)", Types.NUMERIC);
>>>
>>
>> Can we pass a set of strings? Otherwise it is a half-way solution.
>>
>> stmt.setObject(1, "('a1', 'b2', 'c3')", Types.VARCHAR);
>
>
> I am not sure what you are asking, but if you make the above call you
> will send the following to the server:
>
> where ... in (\'a1\', \'b2\', \'c3\') ...
>
> Which is as it has always been since Types.VARCHAR caused proper
> escaping. The commited change causes the above to happen even when you
> say the type is Types.NUMERIC.
>
OK, let me rephrase it:
What if my string (which is a string, not a list) contains the
characters "('a1', 'b2', 'c3')"? How do I set my parameter to such a
string with setObject?
--
Fernando Nasser
Red Hat Canada Ltd. E-Mail: fnasser(at)redhat(dot)com
2323 Yonge Street, Suite #300
Toronto, Ontario M4P 2C9
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dmitry Tkach | 2003-07-23 17:28:23 | Re: Patch applied for SQL Injection vulnerability for setObject(int, Object, int) |
| Previous Message | Barry Lind | 2003-07-23 17:08:30 | Re: RFC: Removal of support for JDBC1 drivers. |