Skip to content
Permalink
Browse files

msValidateTimeValue(): reject strings with single quote character to …

…avoid potential SQL injections (#3907)
  • Loading branch information
rouault committed Nov 7, 2015
1 parent 4dacec0 commit 463d31f44622f6c0908ef87cadf2cb07df35c801
Showing with 4 additions and 0 deletions.
  1. +4 −0 maptime.c
@@ -443,6 +443,10 @@ int msValidateTimeValue(const char *timestring, const char *timeextent)
if (!timestring || !timeextent)
return MS_FALSE;

/* To avoid SQL injections */
if (strchr(timestring, '\''))
return MS_FALSE;

/* parse the time string. We support descrete times (eg 2004-09-21), */
/* multiple times (2004-09-21, 2004-09-22, ...) */
/* and range(s) (2004-09-21/2004-09-25, 2004-09-27/2004-09-29) */

0 comments on commit 463d31f

Please sign in to comment.
You can’t perform that action at this time.