Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int)

On Mon, Jul 21, 2003 at 10:49:14PM -0700, Barry Lind wrote:

> Given the ongoing discussion that this SQL injection vulnerability has
> caused, I decided not to apply the below patch from Kim and instead
> fixed the problem in a different way.  The fix essentially applies the
> regular escaping done for setString to appropriate values passed to
> setObject.  It does not however add quotes to the value.  Thus existing
> uses of setObject for in clause and array type values will still
> continue to work.

I haven't looked at the updated tree yet, but from your description won't
this break code that does something like this? :

  stmt = conn.prepareStatement("SELECT * FROM table WHERE string_key IN ?");
  stmt.setObject(1, "('a', 'b', 'c')", Types.NUMERIC);

-O