Hi alessandro this is inside provider... I suppose that qgis server uses provider as Desktop
Luigi Pirelli (luigi.pire...@faunalia.it - lui...@gmail.com) On 6 March 2014 18:59, Alessandro Pasotti <apaso...@gmail.com> wrote: > 2014-03-06 18:51 GMT+01:00 Gino Pirelli <lui...@gmail.com>: > > Thank you Jürgen, I feel safer ;) but... I can't figure out how postgres >> quote_* methods manage "--" Comments or String without Quotes that can >> break SQL statement or introduce elements that can't be escaped... >> >> I would appreciate opinions by DB experts because looking around all says >> that escaping it's not enough. >> >> Luigi Pirelli (luigi.pire...@faunalia.it - lui...@gmail.com) >> >> >> >> On 6 March 2014 16:35, Jürgen E. <j...@norbit.de> wrote: >> >>> Hi Gino, >>> >>> On Thu, 06. Mar 2014 at 12:10:02 +0100, Gino Pirelli wrote: >>> > but they quote only ' or \ so they are -not- enough to a complete sql >>> > injection protection [4] >>> >>> Um, the link doesn't clearly point out what else to do. >>> >>> > every DB have it's internal functions to manage this cases, but better >>> > use parametrized queries as in many parts of the provider... but not >>> > in all parts. >>> >>> [1] looks similar. It duplicates all backslashes not just those in >>> front of a >>> double quote and prepends a E to strings with backslashes. 7829e7a now >>> does it >>> the same way. >>> >>> > > Hi Gino, > > are you worried about functions exposed by QGIS Mapserver or by the > desktop? > > -- > Alessandro Pasotti > w3: www.itopen.it >
_______________________________________________ Qgis-developer mailing list Qgis-developer@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/qgis-developer
