From kde-commits  Sun Jun 29 08:29:30 2008
From: Sebastian =?iso-8859-1?q?Tr=FCg?= <strueg () mandriva ! com>
Date: Sun, 29 Jun 2008 08:29:30 +0000
To: kde-commits
Subject: Re: KDE/kdebase/runtime/nepomuk/strigibackend
Message-Id: <200806291029.30801.strueg () mandriva ! com>
X-MARC-Message: https://marc.info/?l=kde-commits&m=121472819324997

On Sunday 29 June 2008 09:53:50 Oswald Buddenhagen wrote:
> On Sat, Jun 28, 2008 at 09:47:59PM +0000, Sebastian Trueg wrote:
> > - properly escape quotes in sparql queries.
> >
> > ---
> > trunk/KDE/kdebase/runtime/nepomuk/strigibackend/sopranoindexreader.cpp
> > #825632:825633 -                    .arg( QString::fromUtf8(
> > parent.c_str() ) ) +                    .arg( QString::fromUtf8(
> > parent.c_str() ).replace( '\"', "\\\"" ) )
>
> and what about backslashes?
> fwiw, you just partially closed an sql injection security hole. i'm not
> sure how much mischief can be done with that, but it sure is worth some
> serious thought.

no, actually, there is no security problem here. This is sparql, not sql, it 
is read-only.
But anyway, you are probably right, and I should escape backslashes, too. 
thanks for the hint.

Cheers,
Sebastian