[GRASS-dev] [GRASS GIS] #2252: wxGUI vector digitizer passing unescaped text to database
GRASS GIS
trac at osgeo.org
Wed Apr 9 04:13:34 PDT 2014
#2252: wxGUI vector digitizer passing unescaped text to database
-------------------------+--------------------------------------------------
Reporter: marisn | Owner: grass-dev@…
Type: defect | Status: new
Priority: blocker | Milestone: 7.0.0
Component: wxGUI | Version: svn-trunk
Keywords: | Platform: Unspecified
Cpu: Unspecified |
-------------------------+--------------------------------------------------
It seems that it is not possible to enter attribute data for a new vector
feature that is not valid SQL due to code being unable to pass user text
to the database as text.
Steps to reproduce:
* Create a new vector data set;
* Create a new text attribute column for it;
* Digitize a new feature;
* Provide following text as the attribute value: '; drop database
important_data; '
* Observe kaBOOM! as text is parsed by database instead of being properly
escaped/passed as prepared statement to the DB.
{{{
DBMI-SQLite driver error:
Error in sqlite3_prepare():
near ";": syntax error
DBMI-SQLite driver error:
Error in sqlite3_prepare():
near ";": syntax error
KĻŪDA: Error while executing: 'INSERT INTO remove_me (cat,nosaukums)
VALUES (3,''; drop database important_data; '')'
}}}
The issue will work also with more harmless examples like: It's fun
For better effect enter value as: '); delete from MYVECTORMAP; select '
--
Ticket URL: <http://trac.osgeo.org/grass/ticket/2252>
GRASS GIS <http://grass.osgeo.org>
More information about the grass-dev
mailing list