[Qgis-developer] SQL Injection vulnerability
apasotti at gmail.com
Thu Mar 6 09:59:27 PST 2014
2014-03-06 18:51 GMT+01:00 Gino Pirelli <luipir at gmail.com>:
> Thank you Jürgen, I feel safer ;) but... I can't figure out how postgres
> quote_* methods manage "--" Comments or String without Quotes that can
> break SQL statement or introduce elements that can't be escaped...
> I would appreciate opinions by DB experts because looking around all says
> that escaping it's not enough.
> Luigi Pirelli (luigi.pirelli at faunalia.it - luipir at gmail.com)
> On 6 March 2014 16:35, Jürgen E. <jef at norbit.de> wrote:
>> Hi Gino,
>> On Thu, 06. Mar 2014 at 12:10:02 +0100, Gino Pirelli wrote:
>> > but they quote only ' or \ so they are -not- enough to a complete sql
>> > injection protection 
>> Um, the link doesn't clearly point out what else to do.
>> > every DB have it's internal functions to manage this cases, but better
>> > use parametrized queries as in many parts of the provider... but not
>> > in all parts.
>>  looks similar. It duplicates all backslashes not just those in front
>> of a
>> double quote and prepends a E to strings with backslashes. 7829e7a now
>> does it
>> the same way.
are you worried about functions exposed by QGIS Mapserver or by the
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Qgis-developer