[Qgis-developer] SQL Injection vulnerability

G. Allegri giohappy at gmail.com
Thu Mar 6 10:01:20 PST 2014


QGIS Server does it's own escaping and filters allowed characters and words
in filters.

giovanni


2014-03-06 18:59 GMT+01:00 Alessandro Pasotti <apasotti at gmail.com>:

> 2014-03-06 18:51 GMT+01:00 Gino Pirelli <luipir at gmail.com>:
>
> Thank you Jürgen, I feel safer ;) but... I can't figure out how postgres
>> quote_* methods manage "--" Comments or String without Quotes that can
>> break SQL statement or introduce elements that can't be escaped...
>>
>> I would appreciate opinions by DB experts because looking around all says
>> that escaping it's not enough.
>>
>> Luigi Pirelli (luigi.pirelli at faunalia.it - luipir at gmail.com)
>>
>>
>>
>> On 6 March 2014 16:35, Jürgen E. <jef at norbit.de> wrote:
>>
>>> Hi Gino,
>>>
>>> On Thu, 06. Mar 2014 at 12:10:02 +0100, Gino Pirelli wrote:
>>> > but they quote only ' or \ so they are -not- enough to a complete sql
>>> > injection protection [4]
>>>
>>> Um, the link doesn't clearly point out what else to do.
>>>
>>> > every DB have it's internal functions to manage this cases, but better
>>> > use parametrized queries as in many parts of the provider... but not
>>> > in all parts.
>>>
>>> [1] looks similar.  It duplicates all backslashes not just those in
>>> front of a
>>> double quote and prepends a E to strings with backslashes.  7829e7a now
>>> does it
>>> the same way.
>>>
>>>
>
> Hi Gino,
>
> are you worried about functions exposed by QGIS Mapserver or by the
> desktop?
>
> --
> Alessandro Pasotti
> w3:   www.itopen.it
>
> _______________________________________________
> Qgis-developer mailing list
> Qgis-developer at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/qgis-developer
>



-- 
Giovanni Allegri
http://about.me/giovanniallegri
Twitter: https://twitter.com/_giohappy_
blog: http://blog.spaziogis.it
GEO+ geomatica in Italia http://bit.ly/GEOplus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20140306/6324ad90/attachment.html>


More information about the Qgis-developer mailing list