Brian Aker wrote:
Hi!

Its been possible to do the following via the protocol:

select 1; select 1;

And send them in the same packet. What is the problem?

SQL injection.

It makes it really simple for someone to pack in a new SQL statement by accident.

I am thinking we should header the protocol so that each statement is in its own envelope. You can still send multiple SQL statements in the same packet, but not via a simple delimiter.

And while we are at it remove the delimiter command and make sure all of its logic is in the client, not the server.


SQL injection is the resulting of requiring/encouraging application programs to construct SQL strings. Switch to an API that has a good implementation of prepared statements, the problem goes away, the plumbing is faster and better, the application code is smaller, simpler, and more reliable, I get my widget even if my street name contains a comma, and peace breaks out in the middle east.

On the more mundane side of things, JDBC supports multiple SQL statements per string. Banning the feature from the server would require a JDBC driver to parse, slice, and dice statement strings.


_______________________________________________
Mailing list: https://launchpad.net/~drizzle-discuss
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~drizzle-discuss
More help   : https://help.launchpad.net/ListHelp

Reply via email to