1

Is there any way to exploit this code:

course = course.replace('\'', '\\\'')
query = "SELECT * FROM student WHERE cost_per_unit > {}".format(course)

to create a query like:
SELECT * FROM student WHERE cost_per_unit > 3; SELECT * FROM student WHERE column = 'ABC'

Here, Python throws a syntax error: 

Syntax error at or near "\":
column = \'ABC\'

The replace() method in python replaces that. Is there any work-around so I can somehow inject something?

Improve this question
6
  • You don't use .format() on SQL queries. Give the query arguments as a sequnce to the .execute() method as described in the documentation. Commented Nov 14, 2019 at 7:32
  • @KlausD. I am afraid the code is not editable. I can just edit the value of string course Commented Nov 14, 2019 at 7:38
  • 1
    That's awful suspicious Commented Nov 14, 2019 at 7:39
  • @th0nk- lol. it's academic of course Commented Nov 14, 2019 at 7:43
  • 1
    Alright well regardless of your seemingly dubious intentions ;) keep in mind that Postgres doesn't treat backslashes as escape characters outside of LIKE expressions, so the syntax going between the two is not compatible the way this is handled Commented Nov 14, 2019 at 7:45

2 Answers 2

Reset to default
1

SOLUTION

Since I have to compare strings, and I cannot use ' because the replace() messes it up, I used $ dollar quoting

So the course looked like 3; SELECT * FROM student WHERE column = $$ABC$$

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

if course is "3; SELECT * FROM student WHERE column = 'ABC'" I don't get any syntax errors but the result might not work as valid SQL:

>>> def a(course):
...     course = course.replace('\'', '\\\'')
...     query = "SELECT * FROM student WHERE cost_per_unit > {}".format(course)
...     return query
...
>>> a("3; SELECT * FROM student WHERE column = 'ABC'")
"SELECT * FROM student WHERE cost_per_unit > 3; SELECT * FROM student WHERE column = \\'ABC\\'"

But the code is indeed very exploitable if other queries are possible. For this example would work just fine:

>>> a("3; SELECT * FROM student")
'SELECT * FROM student WHERE cost_per_unit > 3; SELECT * FROM student'

And so would these dangerous ones:

>>> a("3; DELETE FROM student")
'SELECT * FROM student WHERE cost_per_unit > 3; DELETE FROM student'
>>> a("DROP TABLE student")
'SELECT * FROM student WHERE cost_per_unit > DROP TABLE student'
Improve this answer

4 Comments

The string comparison is definitely necessary in this case. It should work fine for other queries. I wonder if there is any way to somehow I can compare the string without using the quotations.
PostreSQL doesn't support " instead of '.
@SakshamChawla sorry that's all i've got
"if course is "3; SELECT * FROM student WHERE column = 'ABC'" I don't get any syntax errors but the result might not work as valid SQL:" Right. The python syntax is valid, it is the SQL syntax which has the error.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.