The following bug has been logged online:

Bug reference: 1049
Logged by: Tom Hargrave

Email address: tomh (AT) fisher (DOT) co.uk

PostgreSQL version: 7.3.2

Operating system: Linux

Description: Invalid SQL Executed as JDBC Prepared Statement still
executes embedded SQL

Details:

If a piece of SQL is executed in a JDBC prepared statement that includes a
semicolon and a valid piece of SQL, then the embedded valid piece of SQL
still executes even though the overall statement is invalid.

Example:

select c1 from t1 order by;drop t2; c1

This causes security issues if the SQL is constructed from a web page that
inputs strings that are used to construct a statement, since a hacker can
embed SQL within a single field that executes regardless of the overall
statement being invalid.

See article:

http://www.computerweekly.com/articl...D=127470&liFla
vourID=1


---------------------------(end of broadcast)---------------------------
TIP 7: don't forget to increase your free space map settings

On Wednesday 14 January 2004 12:48, PostgreSQL Bugs List wrote:
Does JDBC not include the ability to escape supplied parameters so "dangerous"
characters are handled properly? Or are you saying that it fails to deal with
semicolons?

NEVER allow unchecked data from an untrusted user into your system. This is
standard security practice.

--
Richard Huxton
Archonet Ltd

---------------------------(end of broadcast)---------------------------
TIP 7: don't forget to increase your free space map settings