2014-03-06 18:51 GMT+01:00 Gino Pirelli <[email protected]>: > Thank you Jürgen, I feel safer ;) but... I can't figure out how postgres > quote_* methods manage "--" Comments or String without Quotes that can > break SQL statement or introduce elements that can't be escaped... > > I would appreciate opinions by DB experts because looking around all says > that escaping it's not enough. > > Luigi Pirelli ([email protected] - [email protected]) > > > > On 6 March 2014 16:35, Jürgen E. <[email protected]> wrote: > >> Hi Gino, >> >> On Thu, 06. Mar 2014 at 12:10:02 +0100, Gino Pirelli wrote: >> > but they quote only ' or \ so they are -not- enough to a complete sql >> > injection protection [4] >> >> Um, the link doesn't clearly point out what else to do. >> >> > every DB have it's internal functions to manage this cases, but better >> > use parametrized queries as in many parts of the provider... but not >> > in all parts. >> >> [1] looks similar. It duplicates all backslashes not just those in front >> of a >> double quote and prepends a E to strings with backslashes. 7829e7a now >> does it >> the same way. >> >>
Hi Gino, are you worried about functions exposed by QGIS Mapserver or by the desktop? -- Alessandro Pasotti w3: www.itopen.it
_______________________________________________ Qgis-developer mailing list [email protected] http://lists.osgeo.org/mailman/listinfo/qgis-developer
