Opened 13 years ago

Closed 13 years ago

Last modified 13 years ago

#1474 closed defect (invalid)

Unsafe SQL queries may lead to injection or other problems

Reported by: wsobczuk@… Owned by: Adrian Holovaty
Component: Database layer (models, ORM) Version:
Severity: normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


Instead of doing this:

        cursor.execute("INSERT INTO %s (%s) VALUES (%s)" % \
            (db.db.quote_name(opts.db_table), ','.join(field_names),
            ','.join(placeholders)), db_values)

one should do: cursor.execute('INSERT INTO ... VALUES (%s, %s, %d, etc.)', (arg1, arg2, arg3)).

The way it is done in Django causes problems with certain content. Why not let the dbapi handle the interpolation?

Change History (2)

comment:1 Changed 13 years ago by Christopher Lenz <cmlenz@…>

Resolution: invalid
Status: newclosed

String formatting is only used in that code to insert the table name and field names… the actual values are passed using real parameters.

comment:2 Changed 13 years ago by Christopher Lenz <cmlenz@…>

(And btw, you can't use real parameters for the table and column names – you have to use string formatting.)

Note: See TracTickets for help on using tickets.
Back to Top