[issue11685] possible SQL injection into db APIs via table names... sqlite3
Petri Lehtinen
report at bugs.python.org
Tue May 29 18:22:01 CEST 2012
Petri Lehtinen <petri at digip.org> added the comment:
No SQL library that I know of provides a way to escape table names. The quoting functions are always meant to escape string parameters. This is true for sqlite3_mprintf(), too (the %q and %Q options).
If you build table names from user input, your database design is somehow flawed.
----------
resolution: -> wont fix
stage: -> committed/rejected
status: open -> closed
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue11685>
_______________________________________
More information about the Python-bugs-list
mailing list