FYI:
-- Forwarded message --
From: Natarajan V
Date: Thu, Jan 10, 2013 at 10:49 AM
Subject: [Ilugc] SQL Injection vulnerability in Ruby on Rails forces
websites to close down
To: ILUG-C
Hi,
A major security vulnerability found in RoR has forced a government
website to close
On Wed, Dec 17, 2008 at 11:32 AM, Travis Veazey
wrote:
> if you have a database you risk
> being exposed to SQL injection attacks if you do not harden your app against
> them.
This is actually two statements:
1. If you have a SQL database, you run some theoretical risk of SQL
injectio
On Wed, 2008-12-17 at 08:11 -0900, Travis Veazey wrote:
[...]
> I've tried searching the Django documentation, but "SQL injection"
> turns up nothing, and "escaping input" only produces results related
> to auto-escaping output in templates.
Karen has a
Karen,
Thanks! That's exactly what I was looking for!
Kenneth,
You may want to check out that link Karen provided. Nothing in my original
e-mail, except the implication that I know how to secure a PHP web app and
am asking for help securing a Django one, is limited to PHP - SQL injection
On Wed, Dec 17, 2008 at 12:11 PM, Travis Veazey wrote:
> [snip]I've tried searching the Django documentation, but "SQL injection"
> turns up nothing, and "escaping input" only produces results related to
> auto-escaping output in templates.
>
It may no
On Wednesday 17 Dec 2008 10:41:02 pm Travis Veazey wrote:
> If the Django models don't do their own escaping, how can I escape user
> input to prevent SQL injection attacks?
python !== php
--
regards
KG
http://lawgon.livejournal.com
--~--~-~--~~~---~-
iding user input such as
;DROP TABLE foo;#
If the Django models don't do their own escaping, how can I escape user
input to prevent SQL injection attacks?
I've tried searching the Django documentation, but "SQL injection" turns up
nothing, and "escaping input" only p
On Sun, 2007-12-09 at 14:15 -0800, Nianbig wrote:
> Thanks for your reply.
>
> I´m building an advanced search/filter page and it got too messy doing
> it with the standard Django ORM... so I decided to go with my own SQL-
> string...
> Therefore I need a function that can make input strings SQL
>
> >> On Dec 8, 2007 5:58 PM, Nianbig <[EMAIL PROTECTED]> wrote:
>
> >>> On Dec 8, 11:54 pm, Malcolm Tredinnick <[EMAIL PROTECTED]>
> >>> wrote:
>
> >>>> On Sat, 2007-12-08 at 14:28 -0800, Nianbig wrote:
>
> >>
wrote:
>>
>>
>>
>>
>>
>>
>>> On Dec 8, 11:54 pm, Malcolm Tredinnick <[EMAIL PROTECTED]>
>>> wrote:
>>>
>>>> On Sat, 2007-12-08 at 14:28 -0800, Nianbig wrote:
>>>>
>>>>> I´m tr
2007-12-08 at 14:28 -0800, Nianbig wrote:
> > > > I´m trying to use django.db.backend.quote_name function to prevent
> > SQL-
> > > > injection, as stated in the Django Book Security-chapter,
> > > >http://www.djangobook.com/en/beta/chapter20/.
>
> >
On Dec 8, 2007 5:58 PM, Nianbig <[EMAIL PROTECTED]> wrote:
>
> On Dec 8, 11:54 pm, Malcolm Tredinnick <[EMAIL PROTECTED]>
> wrote:
> > On Sat, 2007-12-08 at 14:28 -0800, Nianbig wrote:
> > > I´m trying to use django.db.backend.quote_name function to prevent
On Dec 8, 11:54 pm, Malcolm Tredinnick <[EMAIL PROTECTED]>
wrote:
> On Sat, 2007-12-08 at 14:28 -0800, Nianbig wrote:
> > I´m trying to use django.db.backend.quote_name function to prevent SQL-
> > injection, as stated in the Django Book Security-chapter,
> >http:/
On Sat, 2007-12-08 at 14:28 -0800, Nianbig wrote:
> I´m trying to use django.db.backend.quote_name function to prevent SQL-
> injection, as stated in the Django Book Security-chapter,
> http://www.djangobook.com/en/beta/chapter20/.
>
> But I'm having difficulties in gettin
I´m trying to use django.db.backend.quote_name function to prevent SQL-
injection, as stated in the Django Book Security-chapter,
http://www.djangobook.com/en/beta/chapter20/.
But I'm having difficulties in getting it working, "Could not import
portal.objects.views.start. Error w
>They escape the string in the manner appropriate to the database
>backend being used. In the above case if you were using MySQL your
>string would become:
Actually they use the parameter binding way of doing it: they pass both
the SQL and a list of parameters to the DBAPI and so it's up to the
d
vent the attempted attack from working?
They escape the string in the manner appropriate to the database
backend being used. In the above case if you were using MySQL your
string would become:
"\' or \'a\'=\'a"
Which is perfectly safe. You have to work pretty hard if
cle' string received from the urlconf? Or do I
> > need to perform some validation on the argument before passing it to
> > get_object()?
>
> All the standard Django ORM functions, such as get_object() and
> get_list(), automatically quote all parameters within the SQL
to
> get_object()?
All the standard Django ORM functions, such as get_object() and
get_list(), automatically quote all parameters within the SQL queries.
So you don't have to worry about SQL injection.
I'm hoping to write up a document about this soon.
Adrian
--
Adrian Holovaty
holovaty.com | djangoproject.com | chicagocrime.org
Is there any builtin protection against SQL Injection in django? Let
me present a common case I use:
class Article(meta.Model):
name = meta.SlugField()
title = meta.CharField()
text = meta.TextField()
# my url conf
(r'^articles/(?P.*)/$', 'mydomain.views.view_artic
20 matches
Mail list logo
