[Hibernate-issues] [Hibernate-JIRA] Commented: (HB-192) net.sf.hibernate.type.StringType contains risky SQL generation

[<leg...@at...>]

The following comment has been added to this issue:

     Author: Max Rydahl Andersen
    Created: Tue, 15 Jul 2003 1:34 AM
       Body:
I get your point, but is there much we can do about it ? The sql string you gave was a completely legal string ;) How would you escape away from it ?

But anyhow - the jdbc driver should handle this as the result of this method is passed to a preparedstatement, which per the standard should handle such escaping (IMHO, or at least that is my understanding ;)


---------------------------------------------------------------------
View the issue:

  http://opensource.atlassian.com/projects/hibernate/secure/ViewIssue.jspa?key=HB-192


Here is an overview of the issue:
---------------------------------------------------------------------
        Key: HB-192
    Summary: net.sf.hibernate.type.StringType contains risky SQL generation
       Type: Bug

     Status: Unassigned
   Priority: Major

    Project: Hibernate2
 Components: 
             core
   Versions:
             2.0.1

   Assignee: 
   Reporter: Paul Brown

    Created: Mon, 14 Jul 2003 10:55 AM
    Updated: Mon, 14 Jul 2003 10:55 AM

Description:
The method:

	public String objectToSQLString(Object value) throws Exception {
		return '\'' + (String) value + '\'';
	}

risks creating dangerous SQL in the hands of a well-informed, malicious user.


---------------------------------------------------------------------
JIRA INFORMATION:
This message is automatically generated by JIRA.

If you think it was sent incorrectly contact one of the administrators:
   http://opensource.atlassian.com/projects/hibernate/secure/Administrators.jspa

If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira