[Qgis-developer] SQL Injection vulnerability
Alessandro Pasotti
apasotti at gmail.com
Thu Mar 6 09:59:27 PST 2014
2014-03-06 18:51 GMT+01:00 Gino Pirelli <luipir at gmail.com>:
> Thank you Jürgen, I feel safer ;) but... I can't figure out how postgres
> quote_* methods manage "--" Comments or String without Quotes that can
> break SQL statement or introduce elements that can't be escaped...
>
> I would appreciate opinions by DB experts because looking around all says
> that escaping it's not enough.
>
> Luigi Pirelli (luigi.pirelli at faunalia.it - luipir at gmail.com)
>
>
>
> On 6 March 2014 16:35, Jürgen E. <jef at norbit.de> wrote:
>
>> Hi Gino,
>>
>> On Thu, 06. Mar 2014 at 12:10:02 +0100, Gino Pirelli wrote:
>> > but they quote only ' or \ so they are -not- enough to a complete sql
>> > injection protection [4]
>>
>> Um, the link doesn't clearly point out what else to do.
>>
>> > every DB have it's internal functions to manage this cases, but better
>> > use parametrized queries as in many parts of the provider... but not
>> > in all parts.
>>
>> [1] looks similar. It duplicates all backslashes not just those in front
>> of a
>> double quote and prepends a E to strings with backslashes. 7829e7a now
>> does it
>> the same way.
>>
>>
Hi Gino,
are you worried about functions exposed by QGIS Mapserver or by the
desktop?
--
Alessandro Pasotti
w3: www.itopen.it
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20140306/9c0bd0e9/attachment-0001.html>
More information about the Qgis-developer
mailing list