id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
14991	SQL injection in quote_name()	Ivan	nobody	"
{{{
183 	    def quote_name(self, name):
184 	        if name.startswith(""`"") and name.endswith(""`""):
185 	            return name # Quoting once is enough.
186 	        return ""`%s`"" % name
}}}

http://code.djangoproject.com/browser/django/trunk/django/db/backends/mysql/base.py#L183

name = '!`column_name!`; DROP database !`dbname!`' # take from request for sort table. Insert value to extra() or order_by()[[BR]]

sql='SELECT * FROM... ORDER BY !`column_name!`; DROP database !`dbname!`'


"		closed	Database layer (models, ORM)			invalid	sql injection		Unreviewed	0	0	0	0	0	0