[Qgis-developer] SQL Injection vulnerability
aperi2007
aperi2007 at gmail.com
Thu Mar 6 10:49:21 PST 2014
AFAIK in a SLD style should never be put a direct sql string.
The SQL is at datasource level for dataset filter and this is a question
outside from the style.
In the style should be put only some filter for classifications.
This is more affordable with the CQL rather than SQL.
Apart from this,
in the SQL the more suitable character for sql injection is the ; char
The ; char is the break for every command and so
it allow some trick.
As example:
string= ";delete from <name-table>;"
with the ; ias first char is capable usually to do work this string also
in a system where it
is is a concatenation in
'select * from table-2 where (' || string || ');'
it became:
'select * from table-2 where ( ;delete from <name-table>; );'
a dbms that try to execute this will do an error of-course, because
select * from table-2 where ( ;
is an error, but after this it could execute the
delete from <name-table>;
and this is not an error.
my 2 ct.
Andrea.
On 06/03/2014 19:25, Jürgen E. Fischer wrote:
> Hi Gino,
>
> On Thu, 06. Mar 2014 at 18:51:58 +0100, Gino Pirelli wrote:
>> Thank you Jürgen, I feel safer ;) but... I can't figure out how postgres
>> quote_* methods manage "--" Comments or String without Quotes that can
>> break SQL statement or introduce elements that can't be escaped...
> quotedValue puts ' around the value and duplicates all inner ' so that they are
> not interpreted as quotes that end the string, but as quotes inside the string
> and also duplicates backslashes so that they are interpreted as backslashes
> instead of giving the following character a special meaning.
>
> What else is there to handle?
>
>
>
> Jürgen
>
More information about the Qgis-developer
mailing list