[Qgis-developer] SQL Injection vulnerability

Jürgen E. Fischer jef at norbit.de
Thu Mar 6 10:25:46 PST 2014

Hi Gino,

On Thu, 06. Mar 2014 at 18:51:58 +0100, Gino Pirelli wrote:
> Thank you Jürgen, I feel safer ;) but... I can't figure out how postgres
> quote_* methods manage "--" Comments or String without Quotes that can
> break SQL statement or introduce elements that can't be escaped...

quotedValue puts ' around the value and duplicates all inner ' so that they are
not interpreted as quotes that end the string, but as quotes inside the string
and also duplicates backslashes so that they are interpreted as backslashes
instead of giving the following character a special meaning.

What else is there to handle?


Jürgen E. Fischer         norBIT GmbH               Tel. +49-4931-918175-31
Dipl.-Inf. (FH)           Rheinstraße 13            Fax. +49-4931-918175-50
Software Engineer         D-26506 Norden               http://www.norbit.de
QGIS PSC member (RM)      Germany                      IRC: jef on FreeNode                         

norBIT Gesellschaft fuer Unternehmensberatung und Informationssysteme mbH
Rheinstrasse 13, 26506 Norden
GF: Jelto Buurman, HR: Amtsgericht Emden, HRB 5502

More information about the Qgis-developer mailing list