Hi, I was expanding saveStyle functionality in spatialite provider using the same code model used in PostgreSQL provider. Reading the c++ code of the provider I figure out a possible vulnerability to SQL Injections.
QGIS PostgreSQL provider [1] extensively use of two internal functions to prevent injection [2] QString QgsPostgresConn::quotedValue( QVariant value ) and [3] QString QgsPostgresConn::quotedIdentifier( QString ident ) but they quote only ' or \ so they are -not- enough to a complete sql injection protection [4] every DB have it's internal functions to manage this cases, but better use parametrized queries as in many parts of the provider... but not in all parts. using parametrized queries need an extensive rewrite of providers... a intermediate approach is to add specific quote_* call in the above functions let me know what do you think Luigi Pirelli ([email protected] - [email protected]) [1] https://github.com/qgis/QGIS/blob/master/src/providers/postgres/qgspostgresprovider.cpp [2] https://github.com/qgis/QGIS/blob/master/src/providers/postgres/qgspostgresconn.cpp#L752 [3] https://github.com/qgis/QGIS/blob/master/src/providers/postgres/qgspostgresconn.cpp#L759 [4] http://www.sqlinjectionwiki.com/Categories.aspx?catId=4
_______________________________________________ Qgis-developer mailing list [email protected] http://lists.osgeo.org/mailman/listinfo/qgis-developer
