Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#1474 closed defect (invalid)

Unsafe SQL queries may lead to injection or other problems

Reported by: wsobczuk@… Owned by: adrian
Component: Database layer (models, ORM) Version:
Severity: normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


Instead of doing this:

        cursor.execute("INSERT INTO %s (%s) VALUES (%s)" % \
            (db.db.quote_name(opts.db_table), ','.join(field_names),
            ','.join(placeholders)), db_values)

one should do: cursor.execute('INSERT INTO ... VALUES (%s, %s, %d, etc.)', (arg1, arg2, arg3)).

The way it is done in Django causes problems with certain content. Why not let the dbapi handle the interpolation?

Change History (2)

comment:1 Changed 10 years ago by Christopher Lenz <cmlenz@…>

  • Resolution set to invalid
  • Status changed from new to closed

String formatting is only used in that code to insert the table name and field names… the actual values are passed using real parameters.

comment:2 Changed 10 years ago by Christopher Lenz <cmlenz@…>

(And btw, you can't use real parameters for the table and column names – you have to use string formatting.)

Note: See TracTickets for help on using tickets.
Back to Top