PostgreSQL minor versions 8.1.4, 8.0.8, 7.4.13 and 7.3.15 have been updated to address a SQL injection vulnerability, for applications that embed untrusted input directly into SQL statements (i.e., avoiding the PreparedStatement facility for escaping input). In case you're unaware, SQL injection uses specifically formed inputs to violate programmer intent. The classic example is something like this:

String sql="select * from users where username='"+username+ "' and password='"+password+"'"; Statement stmt=Connection.createStatement(sql); ResultSet rs=stmt.execute();

If password is set to a value such as "a' or username like '%' or password like '%", the SQL evaluated will be something like this:

select * from users where username='a' and password='a' or username like '%' or password like '%'

Obviously, this can have some security implications. In Java, PreparedStatement is used to easily avoid this kind of security attack, with some performance benefits as well for many databases. If your application using PostgreSQL isn't using PreparedStatement - and can't - it might be a good time to update PostgreSQL. There's a release note about the security issue, which includes tips about how to avoid it (mostly applicable if you're using PHP).

...then you get what you deserve. Anyone who's running around building SQL statements by glueing bits of text together shouldn't be allowed anywhere near a keyboard.

I'd just like to point out that it is not believed that the newly found security problem afects SQL generated in Java. The issue relates to the handling of escape sequences in multibyte encodings. According to the security advisory, they don't think Java strings will allow for these sequences. http://www.postgresql.org/docs/techdocs.50 Of course the same old SQL injection problem still exists for anyone foolish enough to be doing SQL munging with user input.

Would the app be vulnerable if we use Hibernate to generate our queries?