New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
possible SQL injection into db APIs via table names... sqlite3 #55894
Comments
Hi, you can possibly do an SQL injection via table names (and maybe some other parts of queries). Tested with sqlite3, but maybe it affects others too. You can not do parameter substitution for table names, so people use normal python string formatting instead. If the table name comes from an untrusted source, then possibly an SQL injection could happen. cheers, |
Why do you think this is a bug in Python? |
Hello, because the sqlite3 package comes with python. |
But putting untrusted strings into the table name is a bug in the application, not in Python. |
The bug in python is that you can not use parameter substitution to put the table names into the queries. So people are forced to use string substitution instead. |
Ah. That's not a limitation of Python, but a limitation of sqlite. See http://www.sqlite.org/c3ref/bind_blob.html for how parameter binding works. The table name is not supported as a parameter; neither are column names or database names. So if you want this feature added, please request it from the sqlite developers; Python will then naturally inherit it. I'm skeptical that they are open to such a proposal, though, since it will be a massive change in SQL parsing. |
Hi, aaah, ok. It seems to require the use of a quote function. See http://www.sqlite.org/c3ref/mprintf.html However python does not seem to expose the function? I don't see how you can write safe queries using python without it. |
Aren’t you supposed to use the DB API to get safe queries? |
Yes, but the OP complains that the DB API doesn't support specification |
No SQL library that I know of provides a way to escape table names. The quoting functions are always meant to escape string parameters. This is true for sqlite3_mprintf(), too (the %q and %Q options). If you build table names from user input, your database design is somehow flawed. |
Hi, Here is an article with people trying to find a solution: "The psycopg2 documentation explicitly recommends using normal python % or {} formatting to substitute in table and column names." Sqlalchemy uses a format_table method with their sql compiler to quote table names for sqlite. It's probably just sane to either use SQLalchemy, use ctypes to get at the sqlite mprintf function, or perhaps look at the above stackoverflow article for more solutions. There is python code out there vulnerable to attack, that doesn't quote table names correctly. Including at least one major python framework. Hopefully people who care will follow some of the above links. cheers, |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: