Unescaped single quote in server_default (for MySQL at least)
The following code:
from sqlalchemy import create_engine, Table, Column, String, MetaData
from sqlalchemy.sql.ddl import CreateTable
engine = create_engine('mysql://businessoptics:businessoptics@mysql.businessoptics.dev/data')
print CreateTable(Table('mytable',
MetaData(),
Column('mycolumn',
String(length=100),
server_default="a'b"))
).compile(engine)
produces this invalid output:
CREATE TABLE mytable (
mycolumn VARCHAR(100) DEFAULT 'a'b'
)
In this case it's a SQL syntax error, but it could also lead to SQL injection.
Comments (6)
-
repo owner -
repo owner I don't agree that this should be treated as traditional SQL injection (eg requiring backports, breaking application working around this on a point release). Creation of tables via DDL is not a pathway that is normally exposed to untrusted users, any more than is connection.execute().
-
repo owner - changed status to resolved
Escape literal string values passed to server_default
A string sent as a column default via the :paramref:
.Column.server_default
parameter is now escaped for quotes.This change is backwards compatible with code that may have been working around this previously.
Change-Id: I341298a76cc67bc0a53df4ab51ab9379f2294cdd Fixes:
#3809→ <<cset 079df65dc0f7>>
-
reporter This change is backwards compatible with code that may have been working around this previously.
You said the opposite here. Typo?
-
reporter Anyway, thanks for the quick resolution
-
repo owner yup typo
- Log in to comment
https://gerrit.sqlalchemy.org/199