On Feb 7, 2008 4:15 AM, Alexandre Martani <[EMAIL PROTECTED]> wrote: > Hi, > When I try to save a string containing NUL character (\x00), only the > part before the character is saved. I have created a simple model: > > class Test(models.Model): > content = models.TextField()
Text fields are not meant to store binary data. This might as well be the underlying RDBMS limitation. > Since python supports NUL character in strings, Django should support > them too, or at least raise an error, or just drop it, but not losing > all the end of the string. Have you confirmed that the SQL generated by Django does not contain the null character? > Also, it is possible to send a NUL > character through GET or POST, so I think this bug could lead to a SQL > Injection. What kind of injection? It did not terminate the SQL query, just the contents of one field. SQL termination in the middle of a quoted string would result in a failed transaction. Also, AFAIR Django uses prepared statements so there's no possibility to execute code from a bound variable. -- Patryk Zawadzki PLD Linux Distribution --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
