<html><head></head><body>Hi,<br><br>I think that's a sensible suggestion.<br><br>Those who need that functionality could always add a JDBCAppender of their own separately.<br><br>/Robert<div style='white-space: pre-wrap'>-- _______________________________________<br>Robert Olofsson, Sweden<br><br><a href="http://www.unlogic.se">http://www.unlogic.se</a></div><br><br><div class="gmail_quote">On January 19, 2022 9:38:04 AM GMT+01:00, "Ceki Gülcü" <ceki@qos.ch> wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<pre dir="auto" class="k9mail"><br>Hi All,<br><br>JDBCAppender uses simple strings instead of java.sql.Statement to talk<br>to the database. This creates a vulnerability point for SQL injection<br>attacks.<br><br>Fixing this vulnerability in JDBCAppender (a rarely used component) in a<br>backward compatible way would be a lot of work for very little or no<br>benefit.<br><br>S such, I propose to remove JDBCAppender from reload4j with no replacement.<br><br>Any objections?<br><br><div class="k9mail-signature">-- <br>Ceki Gülcü<br><br>Sponsoring SLF4J/logback/reload4j at <a href="https://github.com/sponsors/qos-ch">https://github.com/sponsors/qos-ch</a><hr>reload4j mailing list<br>reload4j@qos.ch<br><a href="http://mailman.qos.ch/cgi-bin/mailman/listinfo/reload4j">http://mailman.qos.ch/cgi-bin/mailman/listinfo/reload4j</a><br></div></pre></blockquote></div></body></html>