QSqlTableModel::setFilter and sql injection
-
Hi
Is the setFilter() argument taken directly to WHERE clause or is there some kind of SQL injection protection?If not... what would be the easiest way to have this protection? Parsing the setFilter() with QRegExp on my own?
I understand (correct me if I am wrong) that bindValue cannot be used with this model?
-
Hi
Is the setFilter() argument taken directly to WHERE clause or is there some kind of SQL injection protection?If not... what would be the easiest way to have this protection? Parsing the setFilter() with QRegExp on my own?
I understand (correct me if I am wrong) that bindValue cannot be used with this model?
@Seb-Tur said in QSqlTableModel::setFilter and sql injection:
Is the setFilter() argument taken directly to WHERE clause
Yes, see https://code.qt.io/cgit/qt/qtbase.git/tree/src/sql/models/qsqltablemodel.cpp#n978
or is there some kind of SQL injection protection?
no
If not... what would be the easiest way to have this protection?
Do not let the user pass a value to this function or write a fool-proof function to avoid sql injection (I would not try it).
