QGIS Server does it's own escaping and filters allowed characters and words in filters.
giovanni 2014-03-06 18:59 GMT+01:00 Alessandro Pasotti <[email protected]>: > 2014-03-06 18:51 GMT+01:00 Gino Pirelli <[email protected]>: > > Thank you Jürgen, I feel safer ;) but... I can't figure out how postgres >> quote_* methods manage "--" Comments or String without Quotes that can >> break SQL statement or introduce elements that can't be escaped... >> >> I would appreciate opinions by DB experts because looking around all says >> that escaping it's not enough. >> >> Luigi Pirelli ([email protected] - [email protected]) >> >> >> >> On 6 March 2014 16:35, Jürgen E. <[email protected]> wrote: >> >>> Hi Gino, >>> >>> On Thu, 06. Mar 2014 at 12:10:02 +0100, Gino Pirelli wrote: >>> > but they quote only ' or \ so they are -not- enough to a complete sql >>> > injection protection [4] >>> >>> Um, the link doesn't clearly point out what else to do. >>> >>> > every DB have it's internal functions to manage this cases, but better >>> > use parametrized queries as in many parts of the provider... but not >>> > in all parts. >>> >>> [1] looks similar. It duplicates all backslashes not just those in >>> front of a >>> double quote and prepends a E to strings with backslashes. 7829e7a now >>> does it >>> the same way. >>> >>> > > Hi Gino, > > are you worried about functions exposed by QGIS Mapserver or by the > desktop? > > -- > Alessandro Pasotti > w3: www.itopen.it > > _______________________________________________ > Qgis-developer mailing list > [email protected] > http://lists.osgeo.org/mailman/listinfo/qgis-developer > -- Giovanni Allegri http://about.me/giovanniallegri Twitter: https://twitter.com/_giohappy_ blog: http://blog.spaziogis.it GEO+ geomatica in Italia http://bit.ly/GEOplus
_______________________________________________ Qgis-developer mailing list [email protected] http://lists.osgeo.org/mailman/listinfo/qgis-developer
