Problem inserting into Postgres (PgSQL) database

Dave Reed dreed at capital.edu
Thu Jun 19 15:03:25 EDT 2003 

On Thursday 19 June 2003 12:23, Gerhard Häring wrote:
> Dave Reed wrote:
> > On Thursday 19 June 2003 06:52, Gerhard Häring wrote:
> >>mupeso at arc.sn wrote:
> >>>[...]
> >>>sql= "insert into radcheck2 
(uid,login,passwd,shell,homedir,domain_name,acc_expired) values 
("+str(uid) 
+",'"+login+"','"+passwd+"','"+shell+"','"+homedir+"','"+dom_name+"','n')"
> >>[...]
> 
> >>Second, your style of constructing SQL is a bad one. Use the DB-API 
way 
> >>of quoting the various datatypes instead:
> >>[...]
> >>The way you're constructing your SQL statement now is a security 
> >>vulnerability if any of the fields can come from an untrusted 
source.
> > 
> > Could you please elaborate on how your method is more secure? Isn't 
it
> > the same result since the %s are replaced with the values from the
> > variable.
> 
> A DB-API adapter always does the quoting right, even if there are 
> 'strange' characters in the string. The OP basically always quoted 
> strings using
> 
> 	"'%s'" % value
> 
> Now if value comes from an untrusted source, this opens up the 
> possibility for arbitrary SQL injection.
> 
> Let's suppose the code in question is this one:
> 
> sql = "INSERT INTO TEST(FOO) VALUES ('%s')" % value
> 
> Now an untrusted partie could make value look like this:
> 
> 	value = "'); DELETE FROM TEST; --"
> 
> Which results in this SQL to be executed:
> 
> INSERT INTO TEST(FOO) VALUES (''); DELETE FROM TEST; --')
> 
> The comment "--" will make the illegal characters disappear, and 
> appriate use of single quotes and semicolon make it possible to insert 
> an additional SQL statement to be executed.
> 
> To safely insert strings in SQL statements, you need to at least 
escape 
> single quotes. pyPgSQL does this already for you. This is PostgreSQL, 
> where this is necessary - other databases, like Oracle can transmit 
SQL 
> with placeholders and actual values to be inserted seperately and 
that's 
> what their Python adapters do if you use the DB-API way of quoting.

Ah, thanks. In my situation, I'm already handling the quoting issue
with my own Python code before executing the SQL statements. I guess I
could have saved myself some work if I'd have looked into this first.

Thanks,
Dave

More information about the Python-list mailing list