[Qgis-developer] SQL Injection vulnerability
giohappy at gmail.com
Thu Mar 6 10:01:20 PST 2014
QGIS Server does it's own escaping and filters allowed characters and words
2014-03-06 18:59 GMT+01:00 Alessandro Pasotti <apasotti at gmail.com>:
> 2014-03-06 18:51 GMT+01:00 Gino Pirelli <luipir at gmail.com>:
> Thank you Jürgen, I feel safer ;) but... I can't figure out how postgres
>> quote_* methods manage "--" Comments or String without Quotes that can
>> break SQL statement or introduce elements that can't be escaped...
>> I would appreciate opinions by DB experts because looking around all says
>> that escaping it's not enough.
>> Luigi Pirelli (luigi.pirelli at faunalia.it - luipir at gmail.com)
>> On 6 March 2014 16:35, Jürgen E. <jef at norbit.de> wrote:
>>> Hi Gino,
>>> On Thu, 06. Mar 2014 at 12:10:02 +0100, Gino Pirelli wrote:
>>> > but they quote only ' or \ so they are -not- enough to a complete sql
>>> > injection protection 
>>> Um, the link doesn't clearly point out what else to do.
>>> > every DB have it's internal functions to manage this cases, but better
>>> > use parametrized queries as in many parts of the provider... but not
>>> > in all parts.
>>>  looks similar. It duplicates all backslashes not just those in
>>> front of a
>>> double quote and prepends a E to strings with backslashes. 7829e7a now
>>> does it
>>> the same way.
> Hi Gino,
> are you worried about functions exposed by QGIS Mapserver or by the
> Alessandro Pasotti
> w3: www.itopen.it
> Qgis-developer mailing list
> Qgis-developer at lists.osgeo.org
GEO+ geomatica in Italia http://bit.ly/GEOplus
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Qgis-developer