#1474 closed defect (invalid)
Unsafe SQL queries may lead to injection or other problems
| Reported by: | Owned by: | Adrian Holovaty | |
|---|---|---|---|
| Component: | Database layer (models, ORM) | Version: | |
| Severity: | normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Instead of doing this:
cursor.execute("INSERT INTO %s (%s) VALUES (%s)" % \
(db.db.quote_name(opts.db_table), ','.join(field_names),
','.join(placeholders)), db_values)
one should do: cursor.execute('INSERT INTO ... VALUES (%s, %s, %d, etc.)', (arg1, arg2, arg3)).
The way it is done in Django causes problems with certain content. Why not let the dbapi handle the interpolation?
Change History (2)
comment:1 by , 18 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
comment:2 by , 18 years ago
(And btw, you can't use real parameters for the table and column names – you have to use string formatting.)
Note:
See TracTickets
for help on using tickets.
String formatting is only used in that code to insert the table name and field names… the actual values are passed using real parameters.