AFAIK in a SLD style should never be put a direct sql string.
The SQL is at datasource level for dataset filter and this is a question
outside from the style.
In the style should be put only some filter for classifications.
This is more affordable with the CQL rather than SQL.
Apart from this,
in the SQL the more suitable character for sql injection is the ; char
The ; char is the break for every command and so
it allow some trick.
As example:
string= ";delete from <name-table>;"
with the ; ias first char is capable usually to do work this string also
in a system where it
is is a concatenation in
'select * from table-2 where (' || string || ');'
it became:
'select * from table-2 where ( ;delete from <name-table>; );'
a dbms that try to execute this will do an error of-course, because
select * from table-2 where ( ;
is an error, but after this it could execute the
delete from <name-table>;
and this is not an error.
my 2 ct.
Andrea.
On 06/03/2014 19:25, Jürgen E. Fischer wrote:
Hi Gino,
On Thu, 06. Mar 2014 at 18:51:58 +0100, Gino Pirelli wrote:
Thank you Jürgen, I feel safer ;) but... I can't figure out how postgres
quote_* methods manage "--" Comments or String without Quotes that can
break SQL statement or introduce elements that can't be escaped...
quotedValue puts ' around the value and duplicates all inner ' so that they are
not interpreted as quotes that end the string, but as quotes inside the string
and also duplicates backslashes so that they are interpreted as backslashes
instead of giving the following character a special meaning.
What else is there to handle?
Jürgen
_______________________________________________
Qgis-developer mailing list
Qgis-developer@lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/qgis-developer
