Message 132247 - Python tracker

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

In-reply-to
Author	illume
Recipients	illume
Date	2011年03月26日.16:18:38
SpamBayes Score	2.4835317e-06
Marked as misclassified	No
Message-id	<1301156318.95.0.463005530171.issue11685@psf.upfronthosting.co.za>

Content
Hi, you can possibly do an SQL injection via table names (and maybe some other parts of queries). Tested with sqlite3, but maybe it affects others too. You can not do parameter substitution for table names, so people use normal python string formatting instead. If the table name comes from an untrusted source, then possibly an SQL injection could happen. cheers,

Content

Hi,
you can possibly do an SQL injection via table names (and maybe some other parts of queries). Tested with sqlite3, but maybe it affects others too.
You can not do parameter substitution for table names, so people use normal python string formatting instead.
If the table name comes from an untrusted source, then possibly an SQL injection could happen.
cheers,

History
Date	User	Action	Args
2011年03月26日 16:18:39	illume	set	recipients: + illume
2011年03月26日 16:18:38	illume	set	messageid: <1301156318.95.0.463005530171.issue11685@psf.upfronthosting.co.za>
2011年03月26日 16:18:38	illume	link	issue11685 messages
2011年03月26日 16:18:38	illume	create

homepage