search

kayak / pypika

PyPika is a python SQL query builder that exposes the full richness of the SQL language using a syntax that reflects the resulting query. PyPika excels at all sorts of SQL queries but is especially useful for data analysis.
http://pypika.readthedocs.io/en/latest/
Apache License 2.0
2.43k stars 292 forks source link

Identifier quote escaping #768

Open alexandermalyga opened 8 months ago

alexandermalyga commented 8 months ago

SQL identifier names are not being escaped, thus enabling SQL injection attacks.

Here is a minimal example to reproduce:

import pypika

table = pypika.Table('my_table"--')
field = getattr(table, 'my_field"--')
builder = (
    pypika.Query.from_(table, dialect=pypika.Dialects.POSTGRESQL)
    .select(field)
    .where(table.name == "value'")
)

print(builder)

This code produces the following SQL, where single quotes are correctly being escaped but double quotes are not:

SELECT "my_field"--" FROM "my_table"--" WHERE "name"='value'''
wd60622 commented 7 months ago

Doesn't seem ideal. Would you like to make a PR and write some tests against this behavior?