Add support for parametrized queries #113
Comments
foobuzz
changed the title
|
Thanks for raising this ticket. Can definitely do something like that in the near future. |
|
@foobuzz Can you point to some articles about parametrization being the only working anti-injection solution? I started using pypika recently and I was wondering about the threat of injection. I might not be a skilled attacker, but my simplistic test leads me to think that I'm not in danger right now: >>> t = Table('the_table')
>>> param_taken_from_the_outside_world = 'John\'; DROP TABLE the_table'
>>> param_taken_from_the_outside_world
"John'; DROP TABLE the_table"
>>> q = Query.from_(t).select('*').where(t.name == param_taken_from_the_outside_world)
>>> q
SELECT * FROM "the_table" WHERE "name"='John''; DROP TABLE the_table'@twheys Did somebody succesfully inject SQL into pypika params? |
|
@butla Some databases like MySQL or Postgre still accept The term Additionally some database may use pre-defined conversions from Unicode to ASCII, e.g. converting The problem here is that pypika is just the tool that produces the query, and the robustness of a query against SQL injection is highly dependent on how the query will be handled by the database, which pypika is totally decoupled from. Parametrized queries are an interface exposed by databases themselves, therefore ensuring their security. It's just that they expect not only a string but also a tuple (of values) as input, making pypika not compatible with such interface. |
|
@foobuzz I know about parametrized queries and I know why they should be used. Still, I'd like to know what exactly is the risk when using Pypika. And the example you've provided fails to drop the table for me. Using psycopg2 to run the query, using Postgres from |
|
@butla My example comes from https://security.stackexchange.com/a/108490 which claims that it works against a MySQL database. |
|
I'm looking at adding parametrised query support. Instead of calling The reason is that the way PyPika is used (in the monoid pattern) order of parameters is only determined at evaluation time, and is dependant on the dialect. Is there anything I'm overlooking @twheys ? |
Hello,
Props for this wonderful tool!
My understanding is that the end product for the user is always the SQL string as returned by calling
stron a Query object. Such string can then be passed to whatever database interface the user is using. However, SQL interfaces also accept so-called parametrized queries, where the input isn't a single SQL string, but rather a string containing placeholders alongside a tuple containing values to replace the placeholders with. Parameterized queries are very important as they're the only working solution against SQL injection.The interface could be improved such that the Query object would have two properties
statementandvaluescorresponding respectively to the parametrized statement and the values for this statement. The behavior ofstrwould still be relevant as it's always useful to know what a query looks like even when parametrized, although its output should be documented as insecure with unstrusted data.The text was updated successfully, but these errors were encountered: