[New-bugs-announce] [issue11685] possible SQL injection into db APIs via table names... sqlite3
Rene Dudfield
report at bugs.python.org
Sat Mar 26 17:18:38 CET 2011
New submission from Rene Dudfield <illume at users.sourceforge.net>:
Hi,
you can possibly do an SQL injection via table names (and maybe some other parts of queries). Tested with sqlite3, but maybe it affects others too.
You can not do parameter substitution for table names, so people use normal python string formatting instead.
If the table name comes from an untrusted source, then possibly an SQL injection could happen.
cheers,
----------
messages: 132247
nosy: illume
priority: normal
severity: normal
status: open
title: possible SQL injection into db APIs via table names... sqlite3
type: security
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue11685>
_______________________________________
More information about the New-bugs-announce
mailing list