#2252: wxGUI vector digitizer passing unescaped text to database
-----------------------------------------------------------------------------+
Reporter: marisn |
Owner: grass-dev@…
Type: defect |
Status: new
Priority: blocker |
Milestone: 7.0.0
Component: wxGUI |
Version: svn-trunk
Keywords: security, code injection, SQL injection, data loss, v.db.update |
Platform: Unspecified
Cpu: Unspecified |
-----------------------------------------------------------------------------+
Comment(by marisn):
Replying to [comment:4 mlennert]:
> I can't reproduce this bug. I've tried with different SQL texts and they
all are just put into the text field in the attribute table.
>
> Maris, can you still confirm this bug ?
Nothing has changed. Still text fields fail if a single apostrophe is
entered. Deleting whole database via text attribute entry field has been
left as an excise for reader ;)
GRASS version: 7.1.svn
GRASS SVN revision: 64597M
Build date: 2015-01-13
Build platform: x86_64-unknown-linux-gnu
{{{
SQL parser error (syntax error, unexpected SELECT, expecting $end or ';'
processing 'select') in statement:
UPDATE lid_vor SET nosaukums=''; select * from lid_vor; '' WHERE cat=61
Unable to execute statement.
DBMI-DBF driver error:
SQL parser error (syntax error, unexpected SELECT, expecting $end or ';'
processing 'select') in statement:
UPDATE lid_vor SET nosaukums=''; select * from lid_vor; '' WHERE cat=61
Unable to execute statement.
KĻŪDA: Error while executing: 'UPDATE lid_vor SET nosaukums=''; select *
from lid_vor; '' WHERE cat=61'
}}}
--
Ticket URL: <http://trac.osgeo.org/grass/ticket/2252#comment:5>
GRASS GIS <http://grass.osgeo.org>
_______________________________________________
grass-dev mailing list
[email protected]
http://lists.osgeo.org/mailman/listinfo/grass-dev
