Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int)

Barry Lind wrote:
>
>
> Fernando Nasser wrote:
>
>> Barry Lind wrote:
>>
>>> Oliver,
>>>
>>> Yes that will no longer work.  But syntactically it shouldn't anyway.
>>> You are passing a set of strings and saying the type is NUMERIC.
>>> What will still work is passing a set of numeric values:
>>>
>>>    stmt.setObject(1, "(1, 2, 3)", Types.NUMERIC);
>>>
>>
>> Can we pass a set of strings?  Otherwise it is a half-way solution.
>>
>> stmt.setObject(1, "('a1', 'b2', 'c3')", Types.VARCHAR);
>
>
> I am not sure what you are asking, but if you make the above call you
> will send the following to the server:
>
> where ... in (\'a1\', \'b2\', \'c3\') ...
>
> Which is as it has always been since Types.VARCHAR caused proper
> escaping.  The commited change causes the above to happen even when you
> say the type is Types.NUMERIC.
>

OK, let me rephrase it:

What if my string (which is a string, not a list) contains the
characters "('a1', 'b2', 'c3')"?   How do I set my parameter to such a
string with setObject?





--
Fernando Nasser
Red Hat Canada Ltd.                     E-Mail:  fnasser@redhat.com
2323 Yonge Street, Suite #300
Toronto, Ontario   M4P 2C9