I recently upgraded my Django SVN checkout to 1.0 and found a really surprising problem. One of the nice new features of 1.0 is that Django uses unicode whenever it can. This should mean that your projects just automatically handle unicode too (for the most part) so most people won't even notice, except that they can suddenly communicate more effectively with their non-English speaking users. The surprise: apparently psycopg (or libpq maybe) doesn't support escaping of unicode strings by default, so I was kinda sorta open to SQL injection suddenly.
Observe the following:
>>> sql = '''
... select * from information_schema.tables
... where table_name = %s'''
>>> curs.execute(sql, ("columns",))
>>> curs.execute(sql, (r"columns",))
>>> curs.execute(sql, (u"columns",))
Traceback (most recent call last):
File "", line 1, in
psycopg.ProgrammingError: ERROR: column "columns" does not exist
LINE 3: where table_name = columns
^
Hopefully this is in the documentation somewhere and I just missed it.
0 comments:
Post a Comment