Skip to content
This repository has been archived by the owner on Mar 22, 2024. It is now read-only.

Fix 'Possible SQL injection vector through string-based query construction.' issue in server\main.py #7

Closed
devfinwiz opened this issue Apr 12, 2023 · 2 comments · Fixed by #51
Closed

Fix 'Possible SQL injection vector through string-based query construction.' issue in server\main.py #7

devfinwiz opened this issue Apr 12, 2023 · 2 comments · Fixed by #51
Assignees
@devfinwiz
Labels
bug Something isn't working

Comments

@devfinwiz
Copy link
Owner

CodeFactor found an issue: Possible SQL injection vector through string-based query construction.

It's currently on:
server\main.py:73
Commit 9cabd6f
@devfinwiz devfinwiz added the bug Something isn't working label Apr 12, 2023
@devfinwiz
Copy link
Owner Author

Example of insecure code:

import MySQLdb

query = "select username from users where username = '%s'" % name
con = MySQLdb.connect('localhost', 'testuser', 'test623', 'testdb');

with con:
    cur = con.cursor()
    cur.execute(query)

Example of secure code:

import MySQLdb

query = "select username from users where username = '%s'" % name
con = MySQLdb.connect('localhost', 'testuser', 'test623', 'testdb');

with con:
    cur = con.cursor()
    cur.execute(MySQLdb.escape_string(query))

@devfinwiz
Copy link
Owner Author

@yash-dk Can you please wind up this issue in the near future?

@devfinwiz devfinwiz assigned devfinwiz and unassigned yash-dk Jan 11, 2024
@devfinwiz devfinwiz mentioned this issue Jan 11, 2024
Merged
@devfinwiz devfinwiz linked a pull request Jan 11, 2024 that will close this issue
Fix possible SQL injection vulnerability #51
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@devfinwiz devfinwiz

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix possible SQL injection vulnerability devfinwiz/Fin-Maestro-Web
2 participants
@yash-dk @devfinwiz