Skip to content

SQLCipher pragma injection #13230

Description

@eddieran

Finding 1: PostgreSQL Two-Phase XID Injection (Medium)

dialects/postgresql/base.py:3690,3702,3714 and psycopg.py:626,636 interpolate XID into SQL via %-formatting with single-quote delimiters and no escaping. MySQL dialect does this correctly with parameterized queries.

Finding 2: SQLCipher Pragma Injection (Medium-High)

dialects/sqlite/pysqlcipher.py:139,143 interpolates URL password and query params into PRAGMA statements with double-quote delimiters.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingdialectsgeneral dialect tag. useful for unsupported dbs or deprecations. not needed for specific dbs.sqlite

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions