[issue11685] possible SQL injection into db APIs via table names... sqlite3
Martin v. Löwis
report at bugs.python.org
Sat Mar 26 18:41:44 CET 2011
Martin v. Löwis <martin at v.loewis.de> added the comment:
Ah. That's not a limitation of Python, but a limitation of sqlite. See
http://www.sqlite.org/c3ref/bind_blob.html
for how parameter binding works. The table name is not supported as a parameter; neither are column names or database names.
So if you want this feature added, please request it from the sqlite developers; Python will then naturally inherit it. I'm skeptical that they are open to such a proposal, though, since it will be a massive change in SQL parsing.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue11685>
_______________________________________
More information about the Python-bugs-list
mailing list