[MySQL] Auto-create database. if it doesn't exist yet. #53
Comments
d-Rickyy-b
added
enhancement
d-Rickyy-b
added
the
Difficulty: Easy
|
Here we create the tables - before that line there must be the creation of the database if it does not exist yet. |
|
Hi @d-Rickyy-b, I was looking into the code. I could see a line commented above your given statement which has been commented which creates the database if it doesn't exist. Could you please tell me why uncommenting this will not be a solution? |
|
Hi @suparnasnair thanks for commenting :). I totally forgot that I started implementing that. https://github.com/d-Rickyy-b/pastepwn/blob/master/pastepwn/database/mysqldb.py#L41-L48 Sadly this brings the possibility of an SQL injection. While the user itself got access to the database and needs to configure the database name themself, I am not sure if it's a good idea to leave that open for an SQL injection vulnerability. I can't think of any good threat model to describe this issue further, but maybe there is one I am not thinking about currently. |
|
basically you can't overcome the SQL injection problem because the prepared statements won't work on 'CREATE DATABASE' , the only option i can think of is to add a library that escape from sql injection attacks or presetting the database name ( hard coded). |
|
@razper Hmm, maybe presetting the name to a hardcoded one would be a great solution for now. I would have to check back on what needs to be changed and update the requirements for the issue accordingly. Thank you. |
|
As far as i know, to do an sql injection you would need a lot more chars then for a db name. Checking the name with the regex ^([A-Za-z_-]+)$ should remove any injections while still accepting almost all database names |
|
This leaves the possibility to do '--' and comment out the rest of the command, but that would just throw an exception and not do anything with the db. |
|
Hello @d-Rickyy-b! |
If the specified database does not exist yet, create it for the user.
That seems to have several issues with SQLI... let's see.
The text was updated successfully, but these errors were encountered: