[issue11685] possible SQL injection into db APIs via table names... sqlite3
report at bugs.python.org
Sun Mar 27 10:19:55 CEST 2011
Rene Dudfield <illume at users.sourceforge.net> added the comment:
It seems to require the use of a quote function. See http://www.sqlite.org/c3ref/mprintf.html
However python does not seem to expose the function? I don't see how you can write safe queries using python without it.
Python tracker <report at bugs.python.org>
More information about the Python-bugs-list