My favorites | Sign in
Project Home Downloads Wiki Issues Source
READ-ONLY: This project has been archived. For more information see this post.
Search
for
  Advanced search   Search tips   Subscriptions
Issue 45: Sensitive GQL queries
1 person starred this issue and may be notified of changes. Back to list
 
Project Member Reported by wha...@gmail.com, Jun 9, 2010
All over our code we build GQL queries more or less like this:
keyw = db.GqlQuery("SELECT * FROM Keyword WHERE text='%s'"%keyw_text).get()

But what if keyw_text will contain ' character? (i.e Obama's)
Not only that it can ruin the select and cause exceptions, it can also lead to serious security issues (see SQL injection).

I've changed the queries that are problematic - those who really can have "'" in their parameters. If you still see any GQL query that is bad, or want to write a new query, use:

keyw = db.GqlQuery("SELECT * FROM Keyword WHERE text=:k",k=keyw_text).get()

or for more params:
db.GqlQuery("SELECT * FROM ArticleActivity WHERE user = :userID and articleID=:articleID", userID=A, articleID=B)

Aug 27, 2010
Project Member #1 wha...@gmail.com
(No comment was entered for this change.)
Status: Fixed

Powered by Google Project Hosting