Re: [Qgis-developer] SQL Injection vulnerability

2014-03-06 Thread Jürgen E . Fischer
Hi Gino, On Thu, 06. Mar 2014 at 12:10:02 +0100, Gino Pirelli wrote: but they quote only ' or \ so they are -not- enough to a complete sql injection protection [4] Um, the link doesn't clearly point out what else to do. every DB have it's internal functions to manage this cases, but better

Re: [Qgis-developer] SQL Injection vulnerability

2014-03-06 Thread Gino Pirelli
Thank you Jürgen, I feel safer ;) but... I can't figure out how postgres quote_* methods manage -- Comments or String without Quotes that can break SQL statement or introduce elements that can't be escaped... I would appreciate opinions by DB experts because looking around all says that escaping

Re: [Qgis-developer] SQL Injection vulnerability

2014-03-06 Thread G. Allegri
QGIS Server does it's own escaping and filters allowed characters and words in filters. giovanni 2014-03-06 18:59 GMT+01:00 Alessandro Pasotti apaso...@gmail.com: 2014-03-06 18:51 GMT+01:00 Gino Pirelli lui...@gmail.com: Thank you Jürgen, I feel safer ;) but... I can't figure out how

Re: [Qgis-developer] SQL Injection vulnerability

2014-03-06 Thread Alessandro Pasotti
2014-03-06 18:51 GMT+01:00 Gino Pirelli lui...@gmail.com: Thank you Jürgen, I feel safer ;) but... I can't figure out how postgres quote_* methods manage -- Comments or String without Quotes that can break SQL statement or introduce elements that can't be escaped... I would appreciate

Re: [Qgis-developer] SQL Injection vulnerability

2014-03-06 Thread Gino Pirelli
Hi alessandro this is inside provider... I suppose that qgis server uses provider as Desktop Luigi Pirelli (luigi.pire...@faunalia.it - lui...@gmail.com) On 6 March 2014 18:59, Alessandro Pasotti apaso...@gmail.com wrote: 2014-03-06 18:51 GMT+01:00 Gino Pirelli lui...@gmail.com: Thank you

Re: [Qgis-developer] SQL Injection vulnerability

2014-03-06 Thread Alessandro Pasotti
2014-03-06 19:09 GMT+01:00 Gino Pirelli lui...@gmail.com: Hi alessandro this is inside provider... I suppose that qgis server uses provider as Desktop Yes, but it does some sanity checks. https://github.com/qgis/QGIS/blob/master/src/mapserver/qgswmsserver.cpp#L1975 -- Alessandro

Re: [Qgis-developer] SQL Injection vulnerability

2014-03-06 Thread Jürgen E . Fischer
Hi Gino, On Thu, 06. Mar 2014 at 18:51:58 +0100, Gino Pirelli wrote: Thank you Jürgen, I feel safer ;) but... I can't figure out how postgres quote_* methods manage -- Comments or String without Quotes that can break SQL statement or introduce elements that can't be escaped... quotedValue

Re: [Qgis-developer] SQL Injection vulnerability

2014-03-06 Thread aperi2007
AFAIK in a SLD style should never be put a direct sql string. The SQL is at datasource level for dataset filter and this is a question outside from the style. In the style should be put only some filter for classifications. This is more affordable with the CQL rather than SQL. Apart from