One character to rule them all

Reading Time: 1 minute


In this post I will provide example how just one character can make a significant difference regarding security of Django web application.

The issue is sql injection. When I test for sql injections and I have access to client codebase (which can save significant amount of money for client), I first search code for using raw sql code. I am using simple unix utilities, less and grep:

grep -H -r 'what_you_search' * | less

In Django code system, you should search for raw function because it accepts for input raw sql.

You should learn what is proper way to send sql parameters to that function. For Django raw, this is proper way:

>>> lname = 'Doe'
>>> Person.objects.raw('SELECT * FROM myapp_person WHERE last_name = %s', [lname])

I searched the codebase, and found following:

>>> lname = 'Doe'
>>> Person.objects.raw('SELECT * FROM myapp_person WHERE last_name = %s' % lname)

Have you noticed the difference? % instead of ,

Here is how you can easily construct strings in Python (Django is Python framework):

"welcome sql injection %s" % hacker_string

This just replaces hacher_string with %s. And does not check hacker_string for possible sql code injection, which raw function does, but only when user input is send as raw function parameter, as explained in documentation.

%, one character to rule them all!

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Karlo Smid

Leave a Reply

Your email address will not be published. Required fields are marked *