-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SQL injection vulnerability #92
Comments
@pkerpedjiev. Here's a fix, I think. (I checked out the project, and realize now I don't have write privs, and would make a fork, but I should head out.) (also make the list building more idiomatic.) query = """
SELECT importance, chrOffset, fields FROM intervals
WHERE fields LIKE '%?%'
ORDER BY importance DESC
LIMIT 10
"""
rows = c.execute(query, text).fetchall()
to_return = []
for (importance, chrOffset, fields) in rows:
field_parts = fields.split('\t')
to_return.append({
'chr': field_parts[0],
'txStart': int(field_parts[1]),
'txEnd': int(field_parts[2]),
'score': importance,
'geneName': field_parts[3]})
return to_return |
You should have write privileges now. And no, text is not being sanitized. It comes directly from the search box. I presume |
Yeah: using execute to pass in parameters is the way to avoid injection attacks. On a second look: I don't think syntactically |
Maybe something upstream is santitizing
text
, but still, this is not good. Use the?
instead.The text was updated successfully, but these errors were encountered: