On Wed, May 18, 2011 at 12:44:46PM +0200, Ionuț Arțăriși wrote: > > I have attached a patch to add a new method to the API which returns > the names of erratas when given a list of errata ids. We need this > so we can call it from actions/errata.py in the > zypp-plugin-spacewalk.
[...] > + # transform the list of ints to an sql list that we can forcibly > + # insert into the sql statement > + sql_list = ', '.join([str(i) for i in errata_ids]) > + > + sql = """SELECT advisory_name FROM rhnerrata > + WHERE id IN (%s)""" % sql_list > + h = rhnSQL.prepare(sql) > + h.execute() Nack. This is SQL-injection-prone. You have to use bind parameters or sanitize the input properly. Besides, if you allow the list of errata id's to be passed in, which would lead to multiple erratas to be returned, shouldn't you return the id as well to make it clear which advisory name belongs to which id? -- Jan Pazdziora Principal Software Engineer, Satellite Engineering, Red Hat _______________________________________________ Spacewalk-devel mailing list Spacewalk-devel@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-devel
