public
/
pyceo
27
1
Fork 3
Code Issues 25 Pull Requests 5 Projects Releases 1 Wiki Activity

Remove usage of potentially unsafe SQL constructs #83

New Issue
Open
opened 2022-10-18 15:50:35 -04:00 by joss · 1 comment
joss commented 2022-10-18 15:50:35 -04:00
Member
Copy Link

Looks like https://git.csclub.uwaterloo.ca/public/pyceo/src/branch/master/ceod/db/MySQLService.py#L47 and the PostgreSQL equivalent are using f strings to format the queries they execute.

As far as I'm aware, this doesn't protect against SQL injection, and although I know everyone in the CSC are good, machine usage policy following people, it should probably be changed to use the safer constructs outlined here: https://www.psycopg.org/docs/usage.html#passing-parameters-to-sql-queries and the MySQL equivalents.

Should just be contained in ceod/db.

Looks like https://git.csclub.uwaterloo.ca/public/pyceo/src/branch/master/ceod/db/MySQLService.py#L47 and the PostgreSQL equivalent are using f strings to format the queries they execute. As far as I'm aware, this doesn't protect against SQL injection, and although I know everyone in the CSC are good, machine usage policy following people, it should probably be changed to use the safer constructs outlined here: https://www.psycopg.org/docs/usage.html#passing-parameters-to-sql-queries and the MySQL equivalents. Should just be contained in `ceod/db`.
joss commented 2022-10-19 11:43:53 -04:00
Author
Member
Copy Link

Actually this isn't really user facing, and probably isn't called with user-facing code so it's probably not an issue, but it's a pretty straightforward fix AFAIK.

Actually this isn't really user facing, and probably isn't called with user-facing code so it's probably not an issue, but it's a pretty straightforward fix AFAIK.
q434zhan self-assigned this 2022-11-20 16:13:17 -05:00
merenber added the
priority
low
 label 2023-10-14 22:19:06 -04:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
124-fix-regression
new-positions
54-newsletter
WIP-66
65-isClubRep-fix
83-sqlfstrings
60-group-lookup
63-fix-ci
1.0.22
v0.5.1
v0.4.11
v0.4.10
v0.4.9
v0.4.8
v0.4.7
v0.4.6
v0.4.5
Labels
Clear labels   
priority
high
High priority

  
priority
low
Low priority

  
priority
medium
Medium priority

  
priority
very high
Very high priority

  
BUG

   
Feature

   
High Priority

   
Low Priority

   
Medium Priority
No Label
priority
high
priority
low
priority
medium
priority
very high
BUG
Feature
High Priority
Low Priority
Medium Priority
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: public/pyceo#83
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?