Code

Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#1474 closed defect (invalid)

Unsafe SQL queries may lead to injection or other problems

Reported by: wsobczuk@… Owned by: adrian
Component: Database layer (models, ORM) Version:
Severity: normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

Instead of doing this:

        cursor.execute("INSERT INTO %s (%s) VALUES (%s)" % \
            (db.db.quote_name(opts.db_table), ','.join(field_names),
            ','.join(placeholders)), db_values)

one should do: cursor.execute('INSERT INTO ... VALUES (%s, %s, %d, etc.)', (arg1, arg2, arg3)).

The way it is done in Django causes problems with certain content. Why not let the dbapi handle the interpolation?

Attachments (0)

Change History (2)

comment:1 Changed 8 years ago by Christopher Lenz <cmlenz@…>

  • Resolution set to invalid
  • Status changed from new to closed

String formatting is only used in that code to insert the table name and field names… the actual values are passed using real parameters.

comment:2 Changed 8 years ago by Christopher Lenz <cmlenz@…>

(And btw, you can't use real parameters for the table and column names – you have to use string formatting.)

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.