Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Get Qt Extensions
  • Unsolved
Collapse
Brand Logo
  1. Home
  2. Qt Development
  3. General and Desktop
  4. QSqlTableModel::setFilter and sql injection
Forum Updated to NodeBB v4.3 + New Features

QSqlTableModel::setFilter and sql injection

Scheduled Pinned Locked Moved Unsolved General and Desktop
2 Posts 2 Posters 210 Views 1 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S Offline
    S Offline
    Seb Tur
    wrote on 17 Jul 2023, 09:41 last edited by Seb Tur
    #1

    Hi
    Is the setFilter() argument taken directly to WHERE clause or is there some kind of SQL injection protection?

    If not... what would be the easiest way to have this protection? Parsing the setFilter() with QRegExp on my own?

    I understand (correct me if I am wrong) that bindValue cannot be used with this model?

    C 1 Reply Last reply 17 Jul 2023, 14:43
    0
    • S Seb Tur
      17 Jul 2023, 09:41

      Hi
      Is the setFilter() argument taken directly to WHERE clause or is there some kind of SQL injection protection?

      If not... what would be the easiest way to have this protection? Parsing the setFilter() with QRegExp on my own?

      I understand (correct me if I am wrong) that bindValue cannot be used with this model?

      C Offline
      C Offline
      Christian Ehrlicher
      Lifetime Qt Champion
      wrote on 17 Jul 2023, 14:43 last edited by
      #2

      @Seb-Tur said in QSqlTableModel::setFilter and sql injection:

      Is the setFilter() argument taken directly to WHERE clause

      Yes, see https://code.qt.io/cgit/qt/qtbase.git/tree/src/sql/models/qsqltablemodel.cpp#n978

      or is there some kind of SQL injection protection?

      no

      If not... what would be the easiest way to have this protection?

      Do not let the user pass a value to this function or write a fool-proof function to avoid sql injection (I would not try it).

      Qt Online Installer direct download: https://download.qt.io/official_releases/online_installers/
      Visit the Qt Academy at https://academy.qt.io/catalog

      1 Reply Last reply
      0

      1/2

      17 Jul 2023, 09:41

      • Login

      • Login or register to search.
      1 out of 2
      • First post
        1/2
        Last post
      0
      • Categories
      • Recent
      • Tags
      • Popular
      • Users
      • Groups
      • Search
      • Get Qt Extensions
      • Unsolved