-2

I am supposed to look at this chunk of code and decide what parts could be vulnerable to SQL Injection, why and add fixes to them. I have been scanning the code looking for places that have too vague of parameters and such but i am having trouble finding places that could possibly be vulnerable. If anyone can just quickly scan through this code and point out any blatant vulnerabilities that would be great. The program really likes to give error messages when input is given with single quotes. This code is part of a program that tracks activities. There are 3 input fields, username, password and name of activity. Can post more code if anyone wants

#!/usr/bin/python3.4

import readline
import sqlite3

def audit(handle, event, obj=None):
  """Log an audit event."""
  if handle[2] is None:
    handle[2]=-1;
  if obj==None:
    handle[0].execute("insert into auditlog(userid, event)"
                  "  values({0}, '{1}')".format(handle[2],event))
  else:
    handle[0].execute("insert into auditlog(userid, event, object)"
                  "  values({0}, '{1}', {2})".format(str(handle[2]),
                                             event, obj))
  if handle[0].lastrowid is None:
    """On error, raise a SystemException"""
    handle[1].commit()
    handle[1].close()
    raise SystemError("Error creating audit log entry.",
                  handle[2],event,obj)
  handle[1].commit()

def register(cursor, connection, username, password):
  """Register a new user and return a connection to the database."""
  cursor.execute("insert into user(username, password)"
             "  values('{0}', '{1}')".format(username, password))
  userid=cursor.lastrowid;
  if userid>0:
    audit((cursor, connection, userid), "registered")
    connection.commit()
    print("Welcome, new user!")
    return (cursor, connection, userid)
  """If the user could not be registered, raise a SystemError."""
  audit((cursor, connection, 0), 
    "registeration error for {0}".format(username))
  connection.commit()
  connection.close()
  raise SystemError("Unknown error registering user",username)

def connect(username, password):
  """Attempt to log in as the specified user."""
  connection=sqlite3.connect('timelog.db')
  cursor=connection.cursor()
  """The database is created if necessary."""
  cursor.execute("create table if not exists user"
             "( id integer primary key,"
             "  username varchar(50) unique not null,"
     "  password char(40) not null,"
     "  created datetime default CURRENT_TIMESTAMP,"
     "  modified datetime default CURRENT_TIMESTAMP"
     ")")
Improve this question
5
  • Ok, look, it's the documentation! Commented Apr 8, 2015 at 22:03
  • @Carsten could you point out some examples? Commented Apr 8, 2015 at 22:10
  • Have you actually checked if it's vulnerable to SQL Injection by testing it? There are several ways to test it. Commented Apr 8, 2015 at 22:19
  • @SeanJean No, because it's in the first section. Oh come on, have the decency and read for 5 minutes to avoid lots and lots of terrible things. They literally write about your method "Never do this -- insecure!" Commented Apr 8, 2015 at 22:22
  • @Carsten okay then go elsewhere, i am completely new to this, and have no idea what any of this code means Commented Apr 8, 2015 at 22:25

1 Answer 1

Reset to default
0

For example this statement is vulnerable to SQL injection:

cursor.execute("insert into user(username, password)"
         "  values('{0}', '{1}')".format(username, password))

I could for example enter the username: 

test','secret');update user set password='';--

You should use parametrised queries instead. Using SQLLite you can call the sql like this instead:

cmd = "insert into user(username, password values(?, ?)" curs.execute(cmd, (username, password))

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

SQLite does not have stored procedures; and the naive approach of giving the strings to the SP call would introduce exactly the same problem.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.