[reload4j] SQL injection problem in JDBCAppender

Ceki Gülcü ceki at qos.ch
Wed Jan 19 12:53:03 CET 2022



On 1/19/2022 11:22 AM, Vladimir Sitnikov wrote:

> There's a case when users can override JDBCAppender, and override its
> flushBuffer method.
> 
> So removing the class would break "drop-in replacement" 
> I would rather suggest doing the following:
> 1) Throw an exception from JDBCAppender#flushBuffer unless there's
> reload4.appender.jdbc.allow_insecure_sql_replace=true

How do you prevent SQL injection in the first place?

-- 
Ceki Gülcü

Sponsoring SLF4J/logback/reload4j at https://github.com/sponsors/qos-ch


More information about the reload4j mailing list