1. Mike Bayer Avatar Mike Bayer
  2. Untitled project
  3. sqlalchemy_old
  4. Issues

Unescaped single quote in server_default (for MySQL at least)

Issue #3809 resolved
Alex Hall created an issue

The following code:

from sqlalchemy import create_engine, Table, Column, String, MetaData
from sqlalchemy.sql.ddl import CreateTable

engine = create_engine('mysql://businessoptics:businessoptics@mysql.businessoptics.dev/data')
print CreateTable(Table('mytable',
                        MetaData(),
                        Column('mycolumn',
                               String(length=100),
                               server_default="a'b"))
                  ).compile(engine)

produces this invalid output:

CREATE TABLE mytable (
    mycolumn VARCHAR(100) DEFAULT 'a'b'
)

In this case it's a SQL syntax error, but it could also lead to SQL injection.

Comments (6)

  2. Mike Bayer repo owner
    • changed component to sql
    • changed milestone to 1.1

    I don't agree that this should be treated as traditional SQL injection (eg requiring backports, breaking application working around this on a point release). Creation of tables via DDL is not a pathway that is normally exposed to untrusted users, any more than is connection.execute().

  3. Mike Bayer repo owner

    Escape literal string values passed to server_default

    A string sent as a column default via the :paramref:.Column.server_default parameter is now escaped for quotes.

    This change is backwards compatible with code that may have been working around this previously.

    Change-Id: I341298a76cc67bc0a53df4ab51ab9379f2294cdd Fixes: #3809

    → <<cset 079df65dc0f7>>

  4. Alex Hall reporter

    This change is backwards compatible with code that may have been working around this previously.

    You said the opposite here. Typo?

  7. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Component
sql
Milestone
1.1
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!