Re: Patch applied for SQL Injection vulnerability for setObject(int,Object,int)

Barry Lind wrote:
> Fernando,
>
>
> Fernando Nasser wrote:
>
> > What if my string (which is a string, not a list) contains the 
> > characters "('a1', 'b2', 'c3')"?   How do I set my parameter to such a 
> > string with setObject?
>
>
> OK, now I understand your question.  This will still work, just like it 
> always has.  The single quotes will be escaped before sending them to 
> the backend and the result will be what you would expect.
>
> So if the query was: insert into foo (bar) values (?)
>
> stmt.setObject(1, "('a1', 'b2', 'c3')", Types.VARCHAR);
>
> would result in the following statement sent to the server:
>
> insert into foo (bar) values ('(\'a1\', \'b2\', \'c3\')')
>
> which will result in the value ('a1', 'b2', 'c3') being inserted.

OK, so far so good.  And my other question is:

Can we pass a set of strings?

stmt.setObject(1, "('a1', 'b2', 'c3')", Types.VARCHAR);

will result into:

... where ... in (\'a1\', \'b2\', \'c3\') ...

while the proper syntax should be:

... where ... in ('a1', 'b2', 'c3') ...

or will the backend work even with the escaped quotes?

What was I refering to partial solution (or something of a sort) was the 
fact that you can fill your IN predicate <in values list> if the 
elements of the list are numeric values but not if the values where 
VARCHARs.



--
Fernando Nasser
Red Hat Canada Ltd.                     E-Mail:  fnasser@xxxxxxxxxx
2323 Yonge Street, Suite #300
Toronto, Ontario   M4P 2C9


---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
     subscribe-nomail command to majordomo@xxxxxxxxxxxxxx so that your
     message can get through to the mailing list cleanly