New submission from Rene Dudfield <ill...@users.sourceforge.net>: Hi,
you can possibly do an SQL injection via table names (and maybe some other parts of queries). Tested with sqlite3, but maybe it affects others too. You can not do parameter substitution for table names, so people use normal python string formatting instead. If the table name comes from an untrusted source, then possibly an SQL injection could happen. cheers, ---------- messages: 132247 nosy: illume priority: normal severity: normal status: open title: possible SQL injection into db APIs via table names... sqlite3 type: security _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue11685> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
