| Title | Queries to TeamTrack database may fail because of unescaped quotes in SQL |
| Status | closed |
| Priority | essential |
| Assigned user | Gareth Rees |
| Organization | Ravenbrook |
| Description | Queries to TeamTrack database may fail because of unescaped quotes in SQL. |
| Analysis | Lots of SQL queries are constructed by Python code like "TS_P4DTI_JOBNAME='%s'" % job['Job']. This will fail if the jobname has a single quote in it, because then the SQL query has a syntax error in it. Strings must be escaped before being incorporated into queries if there's a possibility that they may have quotes in them. |
| How found | inspection |
| Evidence | None as yet. |
| Created by | Gareth Rees |
| Created on | 2000-10-19 18:09:07 |
| Last modified by | Gareth Rees |
| Last modified on | 2001-12-10 18:58:25 |
| History | 2000-10-19 GDR Created 2000-11-21 RB Downgraded to essential. Needs more analysis to tell whether it's actually important, but might just be easier to add the appropriate escapes everywhere. 2000-11-30 GDR Closed. In fact there was only one place where escapes were needed. All other queries were safe. I implemented ANSI SQL string escaping and tested it in Microsoft Access. |
| Change | Effect | Date | User | Description |
|---|---|---|---|---|
| 5191 | closed | 2000-11-30 17:53:01 | Gareth Rees | The dt_teamtrack module escapes strings before putting them in SQL statements. |