[Qgis-developer] SQL Injection vulnerability

Jürgen E. Fischer jef at norbit.de
Thu Mar 6 07:35:38 PST 2014

Hi Gino,

On Thu, 06. Mar 2014 at 12:10:02 +0100, Gino Pirelli wrote:
> but they quote only ' or \ so they are -not- enough to a complete sql
> injection protection [4]

Um, the link doesn't clearly point out what else to do.

> every DB have it's internal functions to manage this cases, but better
> use parametrized queries as in many parts of the provider... but not
> in all parts.

[1] looks similar.  It duplicates all backslashes not just those in front of a
double quote and prepends a E to strings with backslashes.  7829e7a now does it
the same way.


[1] http://doxygen.postgresql.org/fe-exec_8c.html#a01c75d019597e76bc041716f27caf564

Jürgen E. Fischer         norBIT GmbH               Tel. +49-4931-918175-31
Dipl.-Inf. (FH)           Rheinstraße 13            Fax. +49-4931-918175-50
Software Engineer         D-26506 Norden               http://www.norbit.de
QGIS PSC member (RM)      Germany                      IRC: jef on FreeNode                         

norBIT Gesellschaft fuer Unternehmensberatung und Informationssysteme mbH
Rheinstrasse 13, 26506 Norden
GF: Jelto Buurman, HR: Amtsgericht Emden, HRB 5502

More information about the Qgis-developer mailing list