[GRASS-dev] [GRASS GIS] #2252: wxGUI vector digitizer passing unescaped text to database
GRASS GIS
trac at osgeo.org
Tue Nov 24 11:45:47 PST 2015
#2252: wxGUI vector digitizer passing unescaped text to database
-------------------------+-------------------------------------------------
Reporter: marisn | Owner: grass-dev@…
Type: defect | Status: new
Priority: critical | Milestone: 7.0.0
Component: wxGUI | Version: svn-trunk
Resolution: | Keywords: security, code injection, SQL
CPU: | injection, data loss, v.db.update
Unspecified | Platform: Unspecified
-------------------------+-------------------------------------------------
Comment (by marisn):
Replying to [comment:8 mlennert]:
> I would propose to close this bug, as I don't see any real issue at
hand, here.
I'll paste my answer to your comment as an error message I got from wxgui
vector digitizer with current trunk:
{{{
DBMI-DBF driver error:
SQL parser error (syntax error, unexpected NAME, expecting ')' or ','
processing 'ing') in statement:
INSERT INTO rm_me (cat,comments) VALUES (1,'you must be f'ing kidding;
right?')
Unable to execute statement.
DBMI-DBF driver error:
SQL parser error (syntax error, unexpected NAME, expecting ')' or ','
processing 'ing') in statement:
INSERT INTO rm_me (cat,comments) VALUES (1,'you must be f'ing kidding;
right?')
Unable to execute statement.
KĻŪDA: Error while executing: 'INSERT INTO rm_me (cat,comments) VALUES
(1,'you must be f'ing kidding; right?')'
}}}
--
Ticket URL: <https://trac.osgeo.org/grass/ticket/2252#comment:9>
GRASS GIS <https://grass.osgeo.org>
More information about the grass-dev
mailing list