wxGUI vector digitizer passing unescaped text to database
|Reported by:||marisn||Owned by:|
|Keywords:||security, code injection, SQL injection, data loss, v.db.update||Cc:|
It seems that it is not possible to enter attribute data for a new vector feature that is not valid SQL due to code being unable to pass user text to the database as text.
Steps to reproduce:
- Create a new vector data set;
- Create a new text attribute column for it;
- Digitize a new feature;
- Provide following text as the attribute value: '; drop database important_data; '
- Observe kaBOOM! as text is parsed by database instead of being properly escaped/passed as prepared statement to the DB.
DBMI-SQLite driver error: Error in sqlite3_prepare(): near ";": syntax error DBMI-SQLite driver error: Error in sqlite3_prepare(): near ";": syntax error KĻŪDA: Error while executing: 'INSERT INTO remove_me (cat,nosaukums) VALUES (3,''; drop database important_data; '')'
The issue will work also with more harmless examples like: It's fun
For better effect enter value as: '); delete from MYVECTORMAP; select '
Change History (20)
comment:1 by , 9 years ago
|Keywords:||security code injection SQL injection data loss v.db.update added|