Package: python-sqlalchemy
Version: 0.3.0-1
Severity: important
Tags: upstream
I get data keys as unicode strings, albeit they only consist of regular
characters. When I try to use them in sqlalchemy, broken SQL commands
are generated. e.g.:
SELECT count(foobar.foobarid) AS tbl_row_count
FROM foobar
WHERE foobar.foobarid = KiupZ8YqyzY
So there is no quoting happening with the unicode object, it's passed in
as-is. Sounds like a really bad idea to me (SQL injection
vulnerabilities; though it won't work in first place either)
When using str(variable) or variable.encode("utf-8") it will work.
(Though I didn't test if you could still do a SQL injection; the printed
commands in the log, e.g.
FROM foobar
WHERE foobar.foobarid = %(foobar_foobarid)s ORDER BY foobar.id
LIMIT 1
don't give me a secure feeling... :-(
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-1-686
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Versions of packages python-sqlalchemy depends on:
ii python 2.4.4-1 An interactive high-level object-o
ii python-central 0.5.9 register and build utility for Pyt
python-sqlalchemy recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
