Hi Gino,
On Thu, 06. Mar 2014 at 12:10:02 +0100, Gino Pirelli wrote:
but they quote only ' or \ so they are -not- enough to a complete sql
injection protection [4]
Um, the link doesn't clearly point out what else to do.
every DB have it's internal functions to manage this cases, but better
Thank you Jürgen, I feel safer ;) but... I can't figure out how postgres
quote_* methods manage -- Comments or String without Quotes that can
break SQL statement or introduce elements that can't be escaped...
I would appreciate opinions by DB experts because looking around all says
that escaping
QGIS Server does it's own escaping and filters allowed characters and words
in filters.
giovanni
2014-03-06 18:59 GMT+01:00 Alessandro Pasotti apaso...@gmail.com:
2014-03-06 18:51 GMT+01:00 Gino Pirelli lui...@gmail.com:
Thank you Jürgen, I feel safer ;) but... I can't figure out how
2014-03-06 18:51 GMT+01:00 Gino Pirelli lui...@gmail.com:
Thank you Jürgen, I feel safer ;) but... I can't figure out how postgres
quote_* methods manage -- Comments or String without Quotes that can
break SQL statement or introduce elements that can't be escaped...
I would appreciate
Hi alessandro
this is inside provider... I suppose that qgis server uses provider as
Desktop
Luigi Pirelli (luigi.pire...@faunalia.it - lui...@gmail.com)
On 6 March 2014 18:59, Alessandro Pasotti apaso...@gmail.com wrote:
2014-03-06 18:51 GMT+01:00 Gino Pirelli lui...@gmail.com:
Thank you
2014-03-06 19:09 GMT+01:00 Gino Pirelli lui...@gmail.com:
Hi alessandro
this is inside provider... I suppose that qgis server uses provider as
Desktop
Yes, but it does some sanity checks.
https://github.com/qgis/QGIS/blob/master/src/mapserver/qgswmsserver.cpp#L1975
--
Alessandro
Hi Gino,
On Thu, 06. Mar 2014 at 18:51:58 +0100, Gino Pirelli wrote:
Thank you Jürgen, I feel safer ;) but... I can't figure out how postgres
quote_* methods manage -- Comments or String without Quotes that can
break SQL statement or introduce elements that can't be escaped...
quotedValue
AFAIK in a SLD style should never be put a direct sql string.
The SQL is at datasource level for dataset filter and this is a question
outside from the style.
In the style should be put only some filter for classifications.
This is more affordable with the CQL rather than SQL.
Apart from