Skip site navigation (1) Skip section navigation (2)

Peripheral Links

Header And Logo

PostgreSQL
| The world's most advanced open source database.

Site Navigation

Search archives
  Advanced Search

Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int)

  • From: Oliver Jowett <oliver(at)opencloud(dot)com>
  • To: Barry Lind <blind(at)xythos(dot)com>
  • Cc: pgsql-jdbc-list <pgsql-jdbc(at)postgresql(dot)org>, Kim Ho <kho(at)redhat(dot)com>, Fernando Nasser <fnasser(at)redhat(dot)com>
  • Subject: Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int)
  • Date: Tue, 22 Jul 2003 18:35:04 +1200
  • Message-id: <20030722063504.GA10522@opencloud.com> <text/plain>
On Mon, Jul 21, 2003 at 10:49:14PM -0700, Barry Lind wrote:

> Given the ongoing discussion that this SQL injection vulnerability has 
> caused, I decided not to apply the below patch from Kim and instead 
> fixed the problem in a different way.  The fix essentially applies the 
> regular escaping done for setString to appropriate values passed to 
> setObject.  It does not however add quotes to the value.  Thus existing 
> uses of setObject for in clause and array type values will still 
> continue to work.

I haven't looked at the updated tree yet, but from your description won't
this break code that does something like this? :

  stmt = conn.prepareStatement("SELECT * FROM table WHERE string_key IN ?");
  stmt.setObject(1, "('a', 'b', 'c')", Types.NUMERIC);

-O
Home | Main Index | Thread Index

Privacy Policy | About PostgreSQL
Copyright © 1996 – 2012 PostgreSQL Global Development Group