Home > mailing lists

Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int) - Mailing list pgsql-jdbc

From	Barry Lind
Subject	Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int)
Date	July 23, 2003 14:39:38
Msg-id	3F1EC856.8020307@xythos.com Whole thread Raw
In response to	Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int) (Fernando Nasser <fnasser@redhat.com>)
List	pgsql-jdbc

Tree view

Fernando,

Fernando Nasser wrote:
> What if my string (which is a string, not a list) contains the
> characters "('a1', 'b2', 'c3')"?   How do I set my parameter to such a
> string with setObject?

OK, now I understand your question.  This will still work, just like it
always has.  The single quotes will be escaped before sending them to
the backend and the result will be what you would expect.

So if the query was: insert into foo (bar) values (?)

stmt.setObject(1, "('a1', 'b2', 'c3')", Types.VARCHAR);

would result in the following statement sent to the server:

insert into foo (bar) values ('(\'a1\', \'b2\', \'c3\')')

which will result in the value ('a1', 'b2', 'c3') being inserted.

thanks,
--Barry

pgsql-jdbc by date:

From: Dmitry Tkach
Date: 23 July 2003, 14:28:32
Subject: Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int)

From: Fernando Nasser
Date: 23 July 2003, 14:53:26
Subject: Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int)

Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int) - Mailing list pgsql-jdbc

Previous

Next