[reload4j] SQL injection problem in JDBCAppender
Ceki Gülcü
ceki at qos.ch
Wed Jan 19 12:54:33 CET 2022
You would need to use PreparedStatements and this break backward
compatibility unless am I missing something.
On 1/19/2022 12:53 PM, Ceki Gülcü wrote:
>
>
> On 1/19/2022 11:22 AM, Vladimir Sitnikov wrote:
>
>> There's a case when users can override JDBCAppender, and override its
>> flushBuffer method.
>>
>> So removing the class would break "drop-in replacement"
>> I would rather suggest doing the following:
>> 1) Throw an exception from JDBCAppender#flushBuffer unless there's
>> reload4.appender.jdbc.allow_insecure_sql_replace=true
>
> How do you prevent SQL injection in the first place?
>
--
Ceki Gülcü
Sponsoring SLF4J/logback/reload4j at https://github.com/sponsors/qos-ch
More information about the reload4j
mailing list