[Qgis-developer] SQL Injection vulnerability
luipir at gmail.com
Thu Mar 6 03:10:02 PST 2014
I was expanding saveStyle functionality in spatialite provider using the
same code model used in PostgreSQL provider.
Reading the c++ code of the provider I figure out a possible vulnerability
to SQL Injections.
QGIS PostgreSQL provider  extensively use of two internal functions to
 QString QgsPostgresConn::quotedValue( QVariant value )
 QString QgsPostgresConn::quotedIdentifier( QString ident )
but they quote only ' or \ so they are -not- enough to a complete sql
injection protection 
every DB have it's internal functions to manage this cases, but better
use parametrized queries as in many parts of the provider... but not
in all parts.
using parametrized queries need an extensive rewrite of providers... a
intermediate approach is to add specific quote_* call in the above
let me know what do you think
Luigi Pirelli (luigi.pirelli at faunalia.it - luipir at gmail.com)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Qgis-developer