Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int)

Поиск
Список
Период
Сортировка
От Barry Lind
Тема Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int)
Дата
Msg-id 3F1EC856.8020307@xythos.com
обсуждение исходный текст
Ответ на Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int)  (Fernando Nasser <fnasser@redhat.com>)
Список pgsql-jdbc
Дерево обсуждения 
Fernando,


Fernando Nasser wrote:
> What if my string (which is a string, not a list) contains the
> characters "('a1', 'b2', 'c3')"?   How do I set my parameter to such a
> string with setObject?

OK, now I understand your question.  This will still work, just like it
always has.  The single quotes will be escaped before sending them to
the backend and the result will be what you would expect.

So if the query was: insert into foo (bar) values (?)

stmt.setObject(1, "('a1', 'b2', 'c3')", Types.VARCHAR);

would result in the following statement sent to the server:

insert into foo (bar) values ('(\'a1\', \'b2\', \'c3\')')

which will result in the value ('a1', 'b2', 'c3') being inserted.

thanks,
--Barry

В списке pgsql-jdbc по дате отправления:

Предыдущее
От: Dmitry Tkach
Дата:
Сообщение: Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int)
Следующее
От: Fernando Nasser
Дата:
Сообщение: Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int)