FDO 3.3 has an sql injection problem

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

FDO 3.3 has an sql injection problem

Hans Milling
When I query a mapinfo table (OGR provider) from the FDO ToolBox application (and from my own application) I can return all rows in a table using apostrophe / single quote in the query filter like this:
name like "O'Conner%"
If I write:
lastname like 'O'Conner%'
It works as normal.
Doing:
lastname like "O''Conner%"
                ^ Two single quotes
Does not return any rows
Is this a bug in FDO?

Best regards Hans Milling...
Reply | Threaded
Open this post in threaded view
|

Re: FDO 3.3 has an sql injection problem

Jackie Ng
Can you do such injection via OGR itself (maybe through the ogrinfo utility)?

This will determine if it is the OGR library or the provider that's failing to sanitize

- Jackie
Reply | Threaded
Open this post in threaded view
|

Re: FDO 3.3 has an sql injection problem

Birgir
Hi Jackie,
I have testet the ogrinfo utility but cant get the expected data from my queries.

My goal is to execute the following filter on my datasource:
"Vejnavn=Frederik IX's Plads, Farsoe"

This is what I have done...


Regards,
Birgir