[PyGreSQL] sqlinjection
Christoph Zwerschke
cito at online.de
Sun May 28 16:27:23 EDT 2006
Leonel wrote:
> Due to the past 8.1.4 release to fix the sqlinjection bug
> the pygresql module didn't need to be patched ??
>
> I'm using the 3.8 rom version from www.postgresql.org
As far as I understand, the biggest problem is in escaping quotes with
backslashes instead of using the SQL-standard method of doubling them.
Luckily, the DBAPI2 does the right thing already. The classic module has
it wrong, but this happens only in internal queries for tables or
columns, so it should be no problem in practice as long as you're not
using tables with quotes in field names (already checked in a fix).
So, as long as you're not using a Far Eastern multi-byte encoding,
everything should be fine.
In order to support these encodings, I think we must change the _quote()
functions in the pg and pgdb modules to use PQescapeString instead of
escaping manually. There is already a binding available in pgmodule.c.
If we want to make it perfect, we should also add bindings for
PQescapeStringConn and PQescapeByteaConn in pgmodule.c and use these
instead of PQescapeStringConn and PQescapeByteaConn, for the case where
you have different connections using different encodings.
I think I will add this together with the other improvements (composite
pkeys etc). (D'Arcy - give me an ok for making these changes.)
-- Christoph
More information about the PyGreSQL
mailing list