[Qgis-developer] SQL Injection vulnerability
Gino Pirelli
luipir at gmail.com
Thu Mar 6 09:51:58 PST 2014
Thank you Jürgen, I feel safer ;) but... I can't figure out how postgres
quote_* methods manage "--" Comments or String without Quotes that can
break SQL statement or introduce elements that can't be escaped...
I would appreciate opinions by DB experts because looking around all says
that escaping it's not enough.
Luigi Pirelli (luigi.pirelli at faunalia.it - luipir at gmail.com)
On 6 March 2014 16:35, Jürgen E. <jef at norbit.de> wrote:
> Hi Gino,
>
> On Thu, 06. Mar 2014 at 12:10:02 +0100, Gino Pirelli wrote:
> > but they quote only ' or \ so they are -not- enough to a complete sql
> > injection protection [4]
>
> Um, the link doesn't clearly point out what else to do.
>
> > every DB have it's internal functions to manage this cases, but better
> > use parametrized queries as in many parts of the provider... but not
> > in all parts.
>
> [1] looks similar. It duplicates all backslashes not just those in front
> of a
> double quote and prepends a E to strings with backslashes. 7829e7a now
> does it
> the same way.
>
>
>
> Jürgen
>
> [1]
> http://doxygen.postgresql.org/fe-exec_8c.html#a01c75d019597e76bc041716f27caf564
>
> --
> Jürgen E. Fischer norBIT GmbH Tel. +49-4931-918175-31
> Dipl.-Inf. (FH) Rheinstraße 13 Fax. +49-4931-918175-50
> Software Engineer D-26506 Norden
> http://www.norbit.de
> QGIS PSC member (RM) Germany IRC: jef on FreeNode
>
> --
> norBIT Gesellschaft fuer Unternehmensberatung und Informationssysteme mbH
> Rheinstrasse 13, 26506 Norden
> GF: Jelto Buurman, HR: Amtsgericht Emden, HRB 5502
>
> _______________________________________________
> Qgis-developer mailing list
> Qgis-developer at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/qgis-developer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20140306/46a28a3b/attachment.html>
More information about the Qgis-developer
mailing list