Finding 1: PostgreSQL Two-Phase XID Injection (Medium)
dialects/postgresql/base.py:3690,3702,3714 and psycopg.py:626,636 interpolate XID into SQL via %-formatting with single-quote delimiters and no escaping. MySQL dialect does this correctly with parameterized queries.
Finding 2: SQLCipher Pragma Injection (Medium-High)
dialects/sqlite/pysqlcipher.py:139,143 interpolates URL password and query params into PRAGMA statements with double-quote delimiters.
Finding 1: PostgreSQL Two-Phase XID Injection (Medium)
dialects/postgresql/base.py:3690,3702,3714andpsycopg.py:626,636interpolate XID into SQL via %-formatting with single-quote delimiters and no escaping. MySQL dialect does this correctly with parameterized queries.Finding 2: SQLCipher Pragma Injection (Medium-High)
dialects/sqlite/pysqlcipher.py:139,143interpolates URL password and query params into PRAGMA statements with double-quote delimiters.