Remove usage of potentially unsafe SQL constructs #83

Open
opened 4 months ago by joss · 1 comments
joss commented 4 months ago
Owner

Looks like https://git.csclub.uwaterloo.ca/public/pyceo/src/branch/master/ceod/db/MySQLService.py#L47 and the PostgreSQL equivalent are using f strings to format the queries they execute.

As far as I'm aware, this doesn't protect against SQL injection, and although I know everyone in the CSC are good, machine usage policy following people, it should probably be changed to use the safer constructs outlined here: https://www.psycopg.org/docs/usage.html#passing-parameters-to-sql-queries and the MySQL equivalents.

Should just be contained in ceod/db.

Looks like https://git.csclub.uwaterloo.ca/public/pyceo/src/branch/master/ceod/db/MySQLService.py#L47 and the PostgreSQL equivalent are using f strings to format the queries they execute. As far as I'm aware, this doesn't protect against SQL injection, and although I know everyone in the CSC are good, machine usage policy following people, it should probably be changed to use the safer constructs outlined here: https://www.psycopg.org/docs/usage.html#passing-parameters-to-sql-queries and the MySQL equivalents. Should just be contained in `ceod/db`.
Poster
Owner

Actually this isn't really user facing, and probably isn't called with user-facing code so it's probably not an issue, but it's a pretty straightforward fix AFAIK.

Actually this isn't really user facing, and probably isn't called with user-facing code so it's probably not an issue, but it's a pretty straightforward fix AFAIK.
q434zhan self-assigned this 3 months ago
Sign in to join this conversation.
No Label
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date

No due date set.

Dependencies

No dependencies set.

Reference: public/pyceo#83
Loading…
There is no content yet.