[Qgis-developer] SQL Injection vulnerability
Jürgen E. Fischer
jef at norbit.de
Thu Mar 6 07:35:38 PST 2014
Hi Gino,
On Thu, 06. Mar 2014 at 12:10:02 +0100, Gino Pirelli wrote:
> but they quote only ' or \ so they are -not- enough to a complete sql
> injection protection [4]
Um, the link doesn't clearly point out what else to do.
> every DB have it's internal functions to manage this cases, but better
> use parametrized queries as in many parts of the provider... but not
> in all parts.
[1] looks similar. It duplicates all backslashes not just those in front of a
double quote and prepends a E to strings with backslashes. 7829e7a now does it
the same way.
Jürgen
[1] http://doxygen.postgresql.org/fe-exec_8c.html#a01c75d019597e76bc041716f27caf564
--
Jürgen E. Fischer norBIT GmbH Tel. +49-4931-918175-31
Dipl.-Inf. (FH) Rheinstraße 13 Fax. +49-4931-918175-50
Software Engineer D-26506 Norden http://www.norbit.de
QGIS PSC member (RM) Germany IRC: jef on FreeNode
--
norBIT Gesellschaft fuer Unternehmensberatung und Informationssysteme mbH
Rheinstrasse 13, 26506 Norden
GF: Jelto Buurman, HR: Amtsgericht Emden, HRB 5502
More information about the Qgis-developer
mailing list