[GRASS-dev] [GRASS GIS] #2252: wxGUI vector digitizer passing unescaped text to database
GRASS GIS
trac at osgeo.org
Fri Feb 13 04:32:32 PST 2015
#2252: wxGUI vector digitizer passing unescaped text to database
-----------------------------------------------------------------------------+
Reporter: marisn | Owner: grass-dev@…
Type: defect | Status: new
Priority: blocker | Milestone: 7.0.0
Component: wxGUI | Version: svn-trunk
Keywords: security, code injection, SQL injection, data loss, v.db.update | Platform: Unspecified
Cpu: Unspecified |
-----------------------------------------------------------------------------+
Comment(by marisn):
Replying to [comment:4 mlennert]:
> I can't reproduce this bug. I've tried with different SQL texts and they
all are just put into the text field in the attribute table.
>
> Maris, can you still confirm this bug ?
Nothing has changed. Still text fields fail if a single apostrophe is
entered. Deleting whole database via text attribute entry field has been
left as an excise for reader ;)
GRASS version: 7.1.svn
GRASS SVN revision: 64597M
Build date: 2015-01-13
Build platform: x86_64-unknown-linux-gnu
{{{
SQL parser error (syntax error, unexpected SELECT, expecting $end or ';'
processing 'select') in statement:
UPDATE lid_vor SET nosaukums=''; select * from lid_vor; '' WHERE cat=61
Unable to execute statement.
DBMI-DBF driver error:
SQL parser error (syntax error, unexpected SELECT, expecting $end or ';'
processing 'select') in statement:
UPDATE lid_vor SET nosaukums=''; select * from lid_vor; '' WHERE cat=61
Unable to execute statement.
KĻŪDA: Error while executing: 'UPDATE lid_vor SET nosaukums=''; select *
from lid_vor; '' WHERE cat=61'
}}}
--
Ticket URL: <http://trac.osgeo.org/grass/ticket/2252#comment:5>
GRASS GIS <http://grass.osgeo.org>
More information about the grass-dev
mailing list