SQL: Escaping non alpha-numeric path variable names

Bug #633136 reported by Samppa Saarela on 2010-09-08
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Querydsl
Fix Released
Medium
Samppa Saarela

Bug Description

It is possible to create paths with arbitrary expressions as names. These expression are serialized as such allowing SQL injection.

Variable names containing non-alpha-numeric letters should always be escaped.

visibility: private → public
summary: - Escaping non alpha-numeric path variable names
+ SQL: Escaping non alpha-numeric path variable names
Changed in querydsl:
importance: Undecided → Medium
Changed in querydsl:
assignee: nobody → Samppa Saarela (samppa-saarela)

Fixed in SVN trunk

Changed in querydsl:
status: New → Fix Committed

Released in 1.9.6

Changed in querydsl:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers