The following bug has been logged online: Bug reference: 1049 Logged by: Tom Hargrave
Email address: [EMAIL PROTECTED] PostgreSQL version: 7.3.2 Operating system: Linux Description: Invalid SQL Executed as JDBC Prepared Statement still executes embedded SQL Details: If a piece of SQL is executed in a JDBC prepared statement that includes a semicolon and a valid piece of SQL, then the embedded valid piece of SQL still executes even though the overall statement is invalid. Example: select c1 from t1 order by;drop t2; c1 This causes security issues if the SQL is constructed from a web page that inputs strings that are used to construct a statement, since a hacker can embed SQL within a single field that executes regardless of the overall statement being invalid. See article: http://www.computerweekly.com/articles/article.asp?liArticleID=127470&liFla vourID=1 ---------------------------(end of broadcast)--------------------------- TIP 7: don't forget to increase your free space map settings
