<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">2014-03-06 18:51 GMT+01:00 Gino Pirelli <span dir="ltr"><<a href="mailto:luipir@gmail.com" target="_blank">luipir@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div>Thank you Jürgen, I feel safer ;) but... I can't figure out how postgres quote_* methods manage "--" Comments or String without Quotes that can break SQL statement or introduce elements that can't be escaped...</div>
<div><br></div><div>I would appreciate opinions by DB experts because looking around all says that escaping it's not enough.</div><div class=""><div><br></div><div><pre style="white-space:pre-wrap;font-size:10.285714149475098px;margin-top:0px;margin-bottom:0px">
<font color="#000000" face="arial">Luigi Pirelli (<a href="mailto:luigi.pirelli@faunalia.it" target="_blank">luigi.pirelli@faunalia.it</a> - <a href="mailto:luipir@gmail.com" target="_blank">luipir@gmail.com</a>)</font></pre>
</div></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On 6 March 2014 16:35, Jürgen E. <span dir="ltr"><<a href="mailto:jef@norbit.de" target="_blank">jef@norbit.de</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi Gino,<br>
<div><br>
On Thu, 06. Mar 2014 at 12:10:02 +0100, Gino Pirelli wrote:<br>
> but they quote only ' or \ so they are -not- enough to a complete sql<br>
> injection protection [4]<br>
<br>
</div>Um, the link doesn't clearly point out what else to do.<br>
<div><br>
> every DB have it's internal functions to manage this cases, but better<br>
> use parametrized queries as in many parts of the provider... but not<br>
> in all parts.<br>
<br>
</div>[1] looks similar. It duplicates all backslashes not just those in front of a<br>
double quote and prepends a E to strings with backslashes. 7829e7a now does it<br>
the same way.<br>
<br></blockquote></div></div></div></div></blockquote><div><br></div><div><br></div><div>Hi Gino,</div><div><br></div><div>are you worried about functions exposed by QGIS Mapserver or by the desktop? </div></div><div><br>
</div>-- <br>Alessandro Pasotti<br>w3: <a href="http://www.itopen.it">www.itopen.it</a>
</div></div>