[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-commits
Subject:    Re: KDE/kdebase/runtime/nepomuk/strigibackend
From:       Oswald Buddenhagen <ossi () kde ! org>
Date:       2008-06-29 7:53:50
Message-ID: 20080629075350.GC4097 () ugly ! local
[Download RAW message or body]

On Sat, Jun 28, 2008 at 09:47:59PM +0000, Sebastian Trueg wrote:
> - properly escape quotes in sparql queries.
> 
> --- trunk/KDE/kdebase/runtime/nepomuk/strigibackend/sopranoindexreader.cpp #825632:825633
> -                    .arg( QString::fromUtf8( parent.c_str() ) )
> +                    .arg( QString::fromUtf8( parent.c_str() ).replace( '\"', "\\\"" ) )
>
and what about backslashes?
fwiw, you just partially closed an sql injection security hole. i'm not
sure how much mischief can be done with that, but it sure is worth some
serious thought.

-- 
Hi! I'm a .signature virus! Copy me into your ~/.signature, please!
--
Confusion, chaos, panic - my work here is done.
[prev in list] [next in list] [prev in thread] [next in thread]