Re: Patch applied for SQL Injection vulnerability for setObject(int, Object, int)

Barry Lind wrote:
> Fernando,
>
>
> Fernando Nasser wrote:
>
>> What if my string (which is a string, not a list) contains the
>> characters "('a1', 'b2', 'c3')"? How do I set my parameter to such a
>> string with setObject?
>
>
> OK, now I understand your question. This will still work, just like it
> always has. The single quotes will be escaped before sending them to
> the backend and the result will be what you would expect.
>
> So if the query was: insert into foo (bar) values (?)
>
> stmt.setObject(1, "('a1', 'b2', 'c3')", Types.VARCHAR);
>
> would result in the following statement sent to the server:
>
> insert into foo (bar) values ('(\'a1\', \'b2\', \'c3\')')
>
> which will result in the value ('a1', 'b2', 'c3') being inserted.
>

OK, so far so good. And my other question is:

Can we pass a set of strings?

stmt.setObject(1, "('a1', 'b2', 'c3')", Types.VARCHAR);

will result into:

... where ... in (\'a1\', \'b2\', \'c3\') ...

while the proper syntax should be:

... where ... in ('a1', 'b2', 'c3') ...

or will the backend work even with the escaped quotes?

What was I refering to partial solution (or something of a sort) was the
fact that you can fill your IN predicate <in values list> if the
elements of the list are numeric values but not if the values where
VARCHARs.

--
Fernando Nasser
Red Hat Canada Ltd. E-Mail: fnasser(at)redhat(dot)com
2323 Yonge Street, Suite #300
Toronto, Ontario M4P 2C9