On Wednesday 14 January 2004 12:48, PostgreSQL Bugs List wrote: > The following bug has been logged online: > > Bug reference: 1049 > Logged by: Tom Hargrave > Email address: [EMAIL PROTECTED]
> Description: Invalid SQL Executed as JDBC Prepared Statement still > executes embedded SQL > select c1 from t1 order by;drop t2; c1 Does JDBC not include the ability to escape supplied parameters so "dangerous" characters are handled properly? Or are you saying that it fails to deal with semicolons? > This causes security issues if the SQL is constructed from a web page that > inputs strings that are used to construct a statement, since a hacker can > embed SQL within a single field that executes regardless of the overall > statement being invalid. NEVER allow unchecked data from an untrusted user into your system. This is standard security practice. -- Richard Huxton Archonet Ltd ---------------------------(end of broadcast)--------------------------- TIP 7: don't forget to increase your free space map settings
