[Qgis-developer] SQL Injection vulnerability
Jürgen E. Fischer
jef at norbit.de
Thu Mar 6 10:25:46 PST 2014
Hi Gino,
On Thu, 06. Mar 2014 at 18:51:58 +0100, Gino Pirelli wrote:
> Thank you Jürgen, I feel safer ;) but... I can't figure out how postgres
> quote_* methods manage "--" Comments or String without Quotes that can
> break SQL statement or introduce elements that can't be escaped...
quotedValue puts ' around the value and duplicates all inner ' so that they are
not interpreted as quotes that end the string, but as quotes inside the string
and also duplicates backslashes so that they are interpreted as backslashes
instead of giving the following character a special meaning.
What else is there to handle?
Jürgen
--
Jürgen E. Fischer norBIT GmbH Tel. +49-4931-918175-31
Dipl.-Inf. (FH) Rheinstraße 13 Fax. +49-4931-918175-50
Software Engineer D-26506 Norden http://www.norbit.de
QGIS PSC member (RM) Germany IRC: jef on FreeNode
--
norBIT Gesellschaft fuer Unternehmensberatung und Informationssysteme mbH
Rheinstrasse 13, 26506 Norden
GF: Jelto Buurman, HR: Amtsgericht Emden, HRB 5502
More information about the Qgis-developer
mailing list