Commit b75bb786 authored by Dr. Martin Goik's avatar Dr. Martin Goik

Postgresql SQL injection requires COMMIT

parent f35925ad
......@@ -1605,7 +1605,7 @@ public someClass {
<para>Sanitizing user input</para>
<para>Solution by PreparedStatement </para>
<para>Solution by PreparedStatement</para>
</abstract>
</info>
......@@ -1882,42 +1882,15 @@ public someClass {
<orderedlist>
<listitem>
<para>The <productname
xlink:href="https://www.mysql.com">Mysql</productname>
<trademark
xlink:href="https://en.wikipedia.org/wiki/Java_Database_Connectivity">JDBC</trademark>
driver implementation already provides precautions to
hamper SQL injection attacks. In its default configuration
a sequence of SQL commands separated by semicolons
(<quote>;</quote>) will not be executed but flagged as a
SQL syntax error. We take an example:</para>
<programlisting language="sql">INSERT INTO Person VALUES (...);DROP TABLE Person</programlisting>
<para>In order to execute these so called multi user
queries we explicitly have to enable a <productname
xlink:href="https://www.mysql.com">Mysql</productname>
property thereby overriding the default security
configuration:</para>
<literallayout>jdbc:mysql://localhost:3306/hdm?useSSL=false&amp;<emphasis
role="red">allowMultiQueries=true</emphasis></literallayout>
<para>The <productname
xlink:href="https://www.mysql.com">Mysql</productname>
manual <link
xlink:href="https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html">contains
</link>a remark regarding this parameter:</para>
<remark>Notice that this has the potential for SQL
injection if using plain java.sql.Statements and your code
doesn't sanitize input correctly.</remark>
<para>In other words: You have been warned!</para>
<para>Executing multi-line statements may require explicit
<code>COMMIT</code> statements:</para>
<programlisting language="sql">INSERT INTO Person VALUES (...);DROP TABLE Person;<emphasis
role="red">COMMIT</emphasis>;...</programlisting>
</listitem>
<listitem>
<para>You may now use either of the two input fields
<para>You may use either of the two input fields
<quote>name</quote> or <quote>email</quote> to inject
arbitrary SQL code.</para>
</listitem>
......@@ -1937,7 +1910,7 @@ public someClass {
<emphasis role="red">Eve</emphasis> to launch our
attack:</para>
<programlisting language="sql"><emphasis role="red">Eve', 'eve@my.org');DROP TABLE Person;INSERT INTO Person VALUES('jim</emphasis></programlisting>
<programlisting language="sql"><emphasis role="red">Eve', 'eve@my.org');DROP TABLE Person;COMMIT;INSERT INTO Person VALUES('jim</emphasis></programlisting>
<para>A corresponding dialog reads:</para>
......@@ -1946,11 +1919,19 @@ Enter a person's name or 'x' to exit: <emphasis role="red">Eve', 'eve@my.org');D
Enter <emphasis role="red">Eve', 'eve@my.org');DROP TABLE Person;INSERT INTO Person VALUES('jim's</emphasis> email or 'x' to exit: jim@company.com
</screen>
<screen>java -jar /home/goik/.m2/repository/de/hdm_stuttgart/sda1/insert/insert_user/0.2/insert_user-0.2.jar
Enter a person's name or 'x' to exit: <emphasis role="red">Eve', 'eve@my.org');DROP TABLE Person;COMMIT;INSERT INTO Person VALUES('jim</emphasis>
Enter <emphasis role="red">Eve', 'eve@my.org');DROP TABLE Person;COMMIT;INSERT INTO Person VALUES('jim's</emphasis> email or 'x' to exit: sd@de
Exception in thread "main" org.postgresql.util.PSQLException: ERROR: relation "person" does not exist
Position: 13
at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2103)
at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1836)</screen>
<para>This <quote>successfully</quote> kills our
<code>Person</code> table:</para>
<screen>goik@goikschlepptop MinimumTest&gt; cat A1.log
main INFO insert.SimpleInsert - Executing «INSERT INTO Person VALUES('Eve', 'eve@my.org');DROP TABLE Person;INSERT INTO Person VALUES('jim', 'jim@company.com')»
main INFO insert.SimpleInsert - Executing «INSERT INTO Person VALUES('Eve', 'eve@my.org');DROP TABLE Person;COMMIT;INSERT INTO Person VALUES('jim', 'jim@company.com')»
main ERROR insert.SimpleInsert - General database connection problem:
java.sql.SQLSyntaxErrorException: Table 'hdm.Person' doesn't exist
at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:112) ~[insert_user-0.1.jar:?]
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment