Geoff Williams created GEOS-5792 |
Issue Type: |
Improvement |
Assignee: |
|
Components: |
UI |
Created: |
28/Apr/13 10:56 PM |
Description: |
I’ve coded and enhancement to the SQL views system that allows supplied parameters to be escaped to prevent injection attacks caused by breaking out of quotes and/or supplying other special characters. This is really useful when you want to allow quotes in parameters and/or avoid specifying each special character to allow in the validation regexp. Doing so in the current system could easily allow in more then the users intends and potentially allow sql injection. This feature adds the following behaviour (in GeoTools):
To enable SQL escaping on existing sql views: To enable SQL escaping on new sql views: Note: … If you are passing large amounts of SQL such as whole WHERE clauses (you really shouldn’t be doing this…) then you will likely find that this feature breaks your sql view by escaping too many quotes – but your not doing things like this anyway, are you? See pull requests: |
Environment: |
all |
Fix Versions: |
2.4-beta |
Project: |
|
Priority: |
Minor |
Reporter: |