On 05.01.2016 12:45, Nicolas Ribot wrote:
> Hi all,
>
> Concerning SQL, I can't see how we can protect from malicious SQL code
> considering:
>
> OJ is not just an interface to SQL databases, but a complete SQL client
> allowing to perform ANY kind of queries (as we open a connection to a
> da
A quick test on QGis showed that their query filter interface works the
same as ours:
the formula editor generates a query based on user input, then wraps it
into a LIMIT 0 clause, without performing any other test (";" in the query
for instance).
This filter, for instance, is executed and drops t
Hi all,
Concerning SQL, I can't see how we can protect from malicious SQL code
considering:
OJ is not just an interface to SQL databases, but a complete SQL client
allowing to perform ANY kind of queries (as we open a connection to a
database then execute the statement in DB Query plugin, for ins
On 01.01.2016 19:18, Rahkonen Jukka (MML) wrote:
> Hi,
>
> As far as I can imagine the security risk can only become actual if OpenJUMP
> is used in a multiuser environment where some project administrator is
> creating JUMP project files and/or workbench-state.xml file and deliver them
> for t
Hi,
As far as I can imagine the security risk can only become actual if OpenJUMP is
used in a multiuser environment where some project administrator is creating
JUMP project files and/or workbench-state.xml file and deliver them for the
operators. In that case users do not necessarily know the
Hi Ede,
You're right, our database code is probably not safe.
It is quite easy to inject DDL instructions like create, drop or
truncate both
with FilterQuery and with AdhocQuery (it throws an error, but execute the
DDL first ;-().
It is probably not an easy task to make it more safe and to keep
to all concerned especially Nico, Mike, Jukka...
when working on the db datastores i became aware that there are
- no prepared statements
- no sql escaping of parameters at all
.
coming from a background of web development and being generally security aware
that troubles me somewhat. give the po
