[fdo-users] FDO 3.3 has an sql injection problem

Hans Milling hm at geograf.dk
Thu Dec 8 10:10:56 EST 2011


When I query a mapinfo table (OGR provider) from the FDO ToolBox application
(and from my own application) I can return all rows in a table using
apostrophe / single quote in the query filter like this:
name like "O'Conner%"
If I write:
lastname like 'O'Conner%'
It works as normal.
Doing:
lastname like "O''Conner%"
                ^ Two single quotes
Does not return any rows
Is this a bug in FDO?

Best regards Hans Milling...



--
View this message in context: http://osgeo-org.1803224.n2.nabble.com/FDO-3-3-has-an-sql-injection-problem-tp7074609p7074609.html
Sent from the FDO Users mailing list archive at Nabble.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.osgeo.org/pipermail/fdo-users/attachments/20111208/f0e61542/attachment.html


More information about the fdo-users mailing list