Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int)

Oliver,

Yes that will no longer work.  But syntactically it shouldn't anyway.
You are passing a set of strings and saying the type is NUMERIC.  What
will still work is passing a set of numeric values:

    stmt.setObject(1, "(1, 2, 3)", Types.NUMERIC);

thanks,
--Barry


Oliver Jowett wrote:
> On Mon, Jul 21, 2003 at 10:49:14PM -0700, Barry Lind wrote:
>
>
>>Given the ongoing discussion that this SQL injection vulnerability has
>>caused, I decided not to apply the below patch from Kim and instead
>>fixed the problem in a different way.  The fix essentially applies the
>>regular escaping done for setString to appropriate values passed to
>>setObject.  It does not however add quotes to the value.  Thus existing
>>uses of setObject for in clause and array type values will still
>>continue to work.
>
>
> I haven't looked at the updated tree yet, but from your description won't
> this break code that does something like this? :
>
>   stmt = conn.prepareStatement("SELECT * FROM table WHERE string_key IN ?");
>   stmt.setObject(1, "('a', 'b', 'c')", Types.NUMERIC);
>
> -O
>