Hi Gino, On Thu, 06. Mar 2014 at 12:10:02 +0100, Gino Pirelli wrote: > but they quote only ' or \ so they are -not- enough to a complete sql > injection protection [4]
Um, the link doesn't clearly point out what else to do. > every DB have it's internal functions to manage this cases, but better > use parametrized queries as in many parts of the provider... but not > in all parts. [1] looks similar. It duplicates all backslashes not just those in front of a double quote and prepends a E to strings with backslashes. 7829e7a now does it the same way. Jürgen [1] http://doxygen.postgresql.org/fe-exec_8c.html#a01c75d019597e76bc041716f27caf564 -- Jürgen E. Fischer norBIT GmbH Tel. +49-4931-918175-31 Dipl.-Inf. (FH) Rheinstraße 13 Fax. +49-4931-918175-50 Software Engineer D-26506 Norden http://www.norbit.de QGIS PSC member (RM) Germany IRC: jef on FreeNode -- norBIT Gesellschaft fuer Unternehmensberatung und Informationssysteme mbH Rheinstrasse 13, 26506 Norden GF: Jelto Buurman, HR: Amtsgericht Emden, HRB 5502 _______________________________________________ Qgis-developer mailing list [email protected] http://lists.osgeo.org/mailman/listinfo/qgis-developer
