[Qgis-developer] SQL Injection vulnerability

aperi2007 aperi2007 at gmail.com
Thu Mar 6 10:49:21 PST 2014

AFAIK in a SLD style should never be put a direct sql string.
The SQL is at datasource level for dataset filter and this is a question 
outside from the style.

In the style should be put only some filter for classifications.
This is more affordable with the CQL rather than SQL.

Apart from this,
in the SQL the more suitable character for sql injection is the ; char

The ; char is the break for every command and so
it allow some trick.

As example:

string= ";delete from <name-table>;"
with the ; ias first char is capable usually to do work this string also 
in a system where it
is is a concatenation in

'select * from table-2 where (' || string || ');'

it became:

'select * from table-2 where ( ;delete from <name-table>; );'

a dbms that try to execute this will do an error of-course, because

select * from table-2 where ( ;

is an error, but after this it could execute the

delete from <name-table>;

and this is not an error.

my 2 ct.


On 06/03/2014 19:25, Jürgen E. Fischer wrote:
> Hi Gino,
> On Thu, 06. Mar 2014 at 18:51:58 +0100, Gino Pirelli wrote:
>> Thank you Jürgen, I feel safer ;) but... I can't figure out how postgres
>> quote_* methods manage "--" Comments or String without Quotes that can
>> break SQL statement or introduce elements that can't be escaped...
> quotedValue puts ' around the value and duplicates all inner ' so that they are
> not interpreted as quotes that end the string, but as quotes inside the string
> and also duplicates backslashes so that they are interpreted as backslashes
> instead of giving the following character a special meaning.
> What else is there to handle?
> Jürgen

More information about the Qgis-developer mailing list