[Qgis-developer] SQL Injection vulnerability
Gino Pirelli
luipir at gmail.com
Thu Mar 6 10:09:32 PST 2014
Hi alessandro
this is inside provider... I suppose that qgis server uses provider as
Desktop
Luigi Pirelli (luigi.pirelli at faunalia.it - luipir at gmail.com)
On 6 March 2014 18:59, Alessandro Pasotti <apasotti at gmail.com> wrote:
> 2014-03-06 18:51 GMT+01:00 Gino Pirelli <luipir at gmail.com>:
>
> Thank you Jürgen, I feel safer ;) but... I can't figure out how postgres
>> quote_* methods manage "--" Comments or String without Quotes that can
>> break SQL statement or introduce elements that can't be escaped...
>>
>> I would appreciate opinions by DB experts because looking around all says
>> that escaping it's not enough.
>>
>> Luigi Pirelli (luigi.pirelli at faunalia.it - luipir at gmail.com)
>>
>>
>>
>> On 6 March 2014 16:35, Jürgen E. <jef at norbit.de> wrote:
>>
>>> Hi Gino,
>>>
>>> On Thu, 06. Mar 2014 at 12:10:02 +0100, Gino Pirelli wrote:
>>> > but they quote only ' or \ so they are -not- enough to a complete sql
>>> > injection protection [4]
>>>
>>> Um, the link doesn't clearly point out what else to do.
>>>
>>> > every DB have it's internal functions to manage this cases, but better
>>> > use parametrized queries as in many parts of the provider... but not
>>> > in all parts.
>>>
>>> [1] looks similar. It duplicates all backslashes not just those in
>>> front of a
>>> double quote and prepends a E to strings with backslashes. 7829e7a now
>>> does it
>>> the same way.
>>>
>>>
>
> Hi Gino,
>
> are you worried about functions exposed by QGIS Mapserver or by the
> desktop?
>
> --
> Alessandro Pasotti
> w3: www.itopen.it
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20140306/bae17c46/attachment-0001.html>
More information about the Qgis-developer
mailing list