Brian Aker wrote:
Hi!
Its been possible to do the following via the protocol:
select 1; select 1;
And send them in the same packet. What is the problem?
SQL injection.
It makes it really simple for someone to pack in a new SQL statement
by accident.
I am thinking we should header the protocol so that each statement is
in its own envelope. You can still send multiple SQL statements in the
same packet, but not via a simple delimiter.
And while we are at it remove the delimiter command and make sure all
of its logic is in the client, not the server.
SQL injection is the resulting of requiring/encouraging application
programs to construct SQL strings. Switch to an API that has a good
implementation of prepared statements, the problem goes away, the
plumbing is faster and better, the application code is smaller, simpler,
and more reliable, I get my widget even if my street name contains a
comma, and peace breaks out in the middle east.
On the more mundane side of things, JDBC supports multiple SQL
statements per string. Banning the feature from the server would
require a JDBC driver to parse, slice, and dice statement strings.
_______________________________________________
Mailing list: https://launchpad.net/~drizzle-discuss
Post to : [email protected]
Unsubscribe : https://launchpad.net/~drizzle-discuss
More help : https://help.launchpad.net/ListHelp