[GRASS-dev] [GRASS GIS] #2252: wxGUI vector digitizer passing unescaped text to database

#2252: wxGUI vector digitizer passing unescaped text to database
-------------------------+-------------------------------------------------
  Reporter: marisn | Owner: grass-dev@…
      Type: defect | Status: new
  Priority: critical | Milestone: 7.0.0
Component: wxGUI | Version: svn-trunk
Resolution: | Keywords: security, code injection, SQL
       CPU: | injection, data loss, v.db.update
  Unspecified | Platform: Unspecified
-------------------------+-------------------------------------------------

Comment (by marisn):

Replying to [comment:8 mlennert]:
> I would propose to close this bug, as I don't see any real issue at
hand, here.
I'll paste my answer to your comment as an error message I got from wxgui
vector digitizer with current trunk:
{{{
DBMI-DBF driver error:
SQL parser error (syntax error, unexpected NAME, expecting ')' or ','
processing 'ing') in statement:
INSERT INTO rm_me (cat,comments) VALUES (1,'you must be f'ing kidding;
right?')
Unable to execute statement.

DBMI-DBF driver error:
SQL parser error (syntax error, unexpected NAME, expecting ')' or ','
processing 'ing') in statement:
INSERT INTO rm_me (cat,comments) VALUES (1,'you must be f'ing kidding;
right?')
Unable to execute statement.

KĻŪDA: Error while executing: 'INSERT INTO rm_me (cat,comments) VALUES
          (1,'you must be f'ing kidding; right?')'
}}}

--
Ticket URL: <https://trac.osgeo.org/grass/ticket/2252#comment:9&gt;
GRASS GIS <https://grass.osgeo.org>