Re: [JDBC] Prepared statement performance...

Curt Sampson <cjs@cynic.net>

From: Curt Sampson <cjs@cynic.net>
To: Peter Kovacs <peter.kovacs@sysdata.siemens.hu>
Cc: pgsql-general@postgresql.org, <pgsql-jdbc@postgresql.org>
Date: 2002-10-16T06:06:30Z
Lists: pgsql-general
On Mon, 14 Oct 2002, Peter Kovacs wrote:

> I do not clearly understand what the problem is with someone typing in
> "foo'; DROP TABLE bar;" into the "Name" field on your web form.

If you do just a dumb string concatination, it can insert arbitrary
commands into your conversation with the postgres database. E.g.,
your code does this to construct the query:

    "SELECT id FROM users WHERE name = '" + name + '"'"

and name, taken directly from the input field, is

    foo'; DROP TABLE users; SELECT 'foo

Your query ends up being:

    SELECT id FROM users WHERE name = 'foo'; DROP TABLE users; SELECT 'foo';

cjs
-- 
Curt Sampson  <cjs@cynic.net>   +81 90 7737 2974   http://www.netbsd.org
    Don't you know, in this new Dark Age, we're all light.  --XTC