Permalink
Browse files

msValidateTimeValue(): reject strings with single quote character to …

…avoid potential SQL injections (#3907)
  • Loading branch information...
rouault committed Nov 7, 2015
1 parent 4dacec0 commit 463d31f44622f6c0908ef87cadf2cb07df35c801
Showing with 4 additions and 0 deletions.
  1. +4 −0 maptime.c
View
@@ -443,6 +443,10 @@ int msValidateTimeValue(const char *timestring, const char *timeextent)
if (!timestring || !timeextent)
return MS_FALSE;
+ /* To avoid SQL injections */
+ if (strchr(timestring, '\''))
+ return MS_FALSE;
+
/* parse the time string. We support descrete times (eg 2004-09-21), */
/* multiple times (2004-09-21, 2004-09-22, ...) */
/* and range(s) (2004-09-21/2004-09-25, 2004-09-27/2004-09-29) */

0 comments on commit 463d31f

Please sign in to comment.