Thank you Jürgen, I feel safer ;) but... I can't figure out how postgres quote_* methods manage "--" Comments or String without Quotes that can break SQL statement or introduce elements that can't be escaped...
I would appreciate opinions by DB experts because looking around all says that escaping it's not enough. Luigi Pirelli ([email protected] - [email protected]) On 6 March 2014 16:35, Jürgen E. <[email protected]> wrote: > Hi Gino, > > On Thu, 06. Mar 2014 at 12:10:02 +0100, Gino Pirelli wrote: > > but they quote only ' or \ so they are -not- enough to a complete sql > > injection protection [4] > > Um, the link doesn't clearly point out what else to do. > > > every DB have it's internal functions to manage this cases, but better > > use parametrized queries as in many parts of the provider... but not > > in all parts. > > [1] looks similar. It duplicates all backslashes not just those in front > of a > double quote and prepends a E to strings with backslashes. 7829e7a now > does it > the same way. > > > > Jürgen > > [1] > http://doxygen.postgresql.org/fe-exec_8c.html#a01c75d019597e76bc041716f27caf564 > > -- > Jürgen E. Fischer norBIT GmbH Tel. +49-4931-918175-31 > Dipl.-Inf. (FH) Rheinstraße 13 Fax. +49-4931-918175-50 > Software Engineer D-26506 Norden > http://www.norbit.de > QGIS PSC member (RM) Germany IRC: jef on FreeNode > > -- > norBIT Gesellschaft fuer Unternehmensberatung und Informationssysteme mbH > Rheinstrasse 13, 26506 Norden > GF: Jelto Buurman, HR: Amtsgericht Emden, HRB 5502 > > _______________________________________________ > Qgis-developer mailing list > [email protected] > http://lists.osgeo.org/mailman/listinfo/qgis-developer >
_______________________________________________ Qgis-developer mailing list [email protected] http://lists.osgeo.org/mailman/listinfo/qgis-developer
