[Qgis-developer] SQL Injection vulnerability
luipir at gmail.com
Thu Mar 6 09:51:58 PST 2014
Thank you Jürgen, I feel safer ;) but... I can't figure out how postgres
quote_* methods manage "--" Comments or String without Quotes that can
break SQL statement or introduce elements that can't be escaped...
I would appreciate opinions by DB experts because looking around all says
that escaping it's not enough.
Luigi Pirelli (luigi.pirelli at faunalia.it - luipir at gmail.com)
On 6 March 2014 16:35, Jürgen E. <jef at norbit.de> wrote:
> Hi Gino,
> On Thu, 06. Mar 2014 at 12:10:02 +0100, Gino Pirelli wrote:
> > but they quote only ' or \ so they are -not- enough to a complete sql
> > injection protection 
> Um, the link doesn't clearly point out what else to do.
> > every DB have it's internal functions to manage this cases, but better
> > use parametrized queries as in many parts of the provider... but not
> > in all parts.
>  looks similar. It duplicates all backslashes not just those in front
> of a
> double quote and prepends a E to strings with backslashes. 7829e7a now
> does it
> the same way.
> Jürgen E. Fischer norBIT GmbH Tel. +49-4931-918175-31
> Dipl.-Inf. (FH) Rheinstraße 13 Fax. +49-4931-918175-50
> Software Engineer D-26506 Norden
> QGIS PSC member (RM) Germany IRC: jef on FreeNode
> norBIT Gesellschaft fuer Unternehmensberatung und Informationssysteme mbH
> Rheinstrasse 13, 26506 Norden
> GF: Jelto Buurman, HR: Amtsgericht Emden, HRB 5502
> Qgis-developer mailing list
> Qgis-developer at lists.osgeo.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Qgis-developer