Petri Lehtinen pe...@digip.org added the comment:
No SQL library that I know of provides a way to escape table names. The quoting
functions are always meant to escape string parameters. This is true for
sqlite3_mprintf(), too (the %q and %Q options).
If you build table names from user input,
Rene Dudfield ill...@users.sourceforge.net added the comment:
Hi,
Here is an article with people trying to find a solution:
http://stackoverflow.com/questions/6514274/how-do-you-escape-strings-for-sqlite-table-column-names-in-python
The psycopg2 documentation explicitly recommends using normal
Changes by Petri Lehtinen pe...@digip.org:
--
nosy: +petri.lehtinen
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11685
___
___
Python-bugs-list
Martin v. Löwis mar...@v.loewis.de added the comment:
Aren’t you supposed to use the DB API to get safe queries?
http://docs.python.org/dev/library/sqlite3
Yes, but the OP complains that the DB API doesn't support specification
of the table name from a parameter. So the DB API won't help
Rene Dudfield ill...@users.sourceforge.net added the comment:
Hi,
aaah, ok.
It seems to require the use of a quote function. See
http://www.sqlite.org/c3ref/mprintf.html
However python does not seem to expose the function? I don't see how you can
write safe queries using python without
Éric Araujo mer...@netwok.org added the comment:
Aren’t you supposed to use the DB API to get safe queries?
http://docs.python.org/dev/library/sqlite3
--
nosy: +eric.araujo
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11685
New submission from Rene Dudfield ill...@users.sourceforge.net:
Hi,
you can possibly do an SQL injection via table names (and maybe some other
parts of queries). Tested with sqlite3, but maybe it affects others too.
You can not do parameter substitution for table names, so people use normal
Martin v. Löwis mar...@v.loewis.de added the comment:
Why do you think this is a bug in Python?
--
nosy: +loewis
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11685
___
Rene Dudfield ill...@users.sourceforge.net added the comment:
Hello,
because the sqlite3 package comes with python.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11685
___
Martin v. Löwis mar...@v.loewis.de added the comment:
But putting untrusted strings into the table name is a bug in the application,
not in Python.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11685
Rene Dudfield ill...@users.sourceforge.net added the comment:
The bug in python is that you can not use parameter substitution to put the
table names into the queries. So people are forced to use string substitution
instead.
--
___
Python tracker
Martin v. Löwis mar...@v.loewis.de added the comment:
Ah. That's not a limitation of Python, but a limitation of sqlite. See
http://www.sqlite.org/c3ref/bind_blob.html
for how parameter binding works. The table name is not supported as a
parameter; neither are column names or database names.
12 matches
Mail list logo