hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
c01db23f587a2b0adb7a8da109a7ccaa9b31bf2d
codeql/python/ql/test/query-tests/Security/CWE-089/sql_injection.py
Mark Shannon 05b69a1c0f QL tests for Python queries and libraries.
2018-11-19 15:15:54 +00:00

29 lines
997 B
Python
Raw Blame History

from django.conf.urls import patterns, url
from django.db import connection, models
from django.db.models.expressions import RawSQL
class Name(models.Model):
pass
def save_name(request):
if request.method == 'POST':
name = request.POST.get('name')
curs = connection.cursor()
#GOOD -- Using parameters
curs.execute(
"insert into names_file ('name') values ('%s')", name)
#BAD -- Using string formatting
curs.execute(
"insert into names_file ('name') values ('%s')" % name)
#BAD -- other ways of executing raw SQL code with string interpolation
Name.objects.annotate(RawSQL("insert into names_file ('name') values ('%s')" % name))
Name.objects.raw("insert into names_file ('name') values ('%s')" % name)
Name.objects.extra("insert into names_file ('name') values ('%s')" % name)
urlpatterns = patterns(url(r'^save_name/$',
save_name, name='save_name'))
Reference in New Issue View Git Blame Copy Permalink