oss-sec mailing list archives
Re: postgresql-jdbc 8.1 SQL injection with postgresql server 9.1
From: Florian Weimer <fw () deneb enyo de>
Date: Fri, 30 Mar 2012 22:02:51 +0200
* Ludwig Nussel:
Postgresql 9.1 turned "standard conforming strings" on by default[1][2]. postgresql-jdbc before version 8.2-504 however did not know about that kind of string and escaped single quotes with a backslash always. When such an old version of postgresql-jdbc is used with a newer postgresql server it not only breaks when strings contain single quotes, it also allows for SQL injections[3].
By the way, if you want to fix this for some reason, you should probably include support for the modified BYTEA encoding introduced in the 9.0 server version, too.
Current thread:
- postgresql-jdbc 8.1 SQL injection with postgresql server 9.1 Ludwig Nussel (Mar 30)
- Re: [pgsql-security] postgresql-jdbc 8.1 SQL injection with postgresql server 9.1 Robert Haas (Mar 30)
- Re: [pgsql-security] postgresql-jdbc 8.1 SQL injection with postgresql server 9.1 Robert Haas (Mar 30)
- Re: postgresql-jdbc 8.1 SQL injection with postgresql server 9.1 Florian Weimer (Mar 30)
- Re: [pgsql-security] postgresql-jdbc 8.1 SQL injection with postgresql server 9.1 Robert Haas (Mar 30)