Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
Sql injection is only possible if there is unquoted user input in the query. The fields being submitted clientside seem to be mostly quoted here chief.
-
@nitwhiz Not true.
netikras@netikras-xps:~$ python3
Python 3.6.8 (default, Oct 7 2019, 12:59:55)
[GCC 8.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> a="""SELECT * from USER where USERNAME='{uname}' AND PWHASH='{hash}'""".format(uname="myuname';drop table user;--", hash="deadbeef") ; a
"SELECT * from USER where USERNAME='myuname';drop table user;--' AND PWHASH='deadbeef'"
>>>
This example IS a subject for a SQLi attack. -
@netikras I'm sorry but I'd totally say that's a problem on pythons side, as this doesn't work for me in my php environment.^^
-
Holy shit that's bad.
I'm assuming that the comment body is not sanitized. If it isn't, that indeed is an SQL Injection. -
Fradow9085yYup, unless those data['body'] and data['stream_sec'] are properly escaped, it is a textbook SQL injection vulnerability.
@nitwhiz that's not a python issue, you can totally have the same sort of issue in PHP, or any other language for that matter. Every language and every DB as ways to deal with that securely. Apparently the dev in question didn't bother to find out what he should use. -
@nitwhiz no it's not. If you can't dance you should not blame your testies for getting in a way.
Python's .format does one thing. Php's -- a bit different. There's a reason these languages are called differen't names, ain't it? After all I'd be pissed if .format did anything more but replace placeholders. It's a violation of SRP.
Now back to the topic. A prepared statement should be used in cases like OP's. They completely solve this problem and you still get to use placeholders. -
dder22815yI’m not that into python, but I’m pretty sure that there is a ORM lib for that, so you shouln’t need to worry about SQLi, should you ?
-
hjk10156965y@nitwhiz bullshit. Quoting only helps if the database drivers quote function is used. That one escapes ' for example and b other nastyness. I hope you go ahead and did your codebase 😅.
Your php codebase that is. Use PDO or some other layer that helps safely insert your variable data. Using it in sprintf or plain interpolation/concatenation will fuckups you up in any language. -
class ReplyToComment haha
Also, gotta love DB access and HTTP response stuff in the same method, fuck separation. -
iran3975y@Charon92 in this case actually return means to stop here. Falcon does not use function return, it uses it’s response and req object.
Classic OO shit.
Related Rants
This fucking stupid asshole developer, wrote every single SQL execution with string formatting. Made me a full sleepless night fixing this shit. Isn’t this a classical SQL injection sample?
rant
python
psycopg2
injection
sql