SQL Injection
Opened this issue · 0 comments
Hello! I hope you are having a good day, I found your code and i started reading it and i noticed that you have a SQL injection vulnerability which can allow login bypass.
In the line 34 of the file lms/LMS/user/views.py You can find the following line of code.
cursor.execute("SELECT * from users where email = '{}' and password = '{}' ".format(email,password))
using .format()
in cursor.execute
is dangerous, because the user input is not sanitized, so a user could input an email and the string ' or '1' = '1
and the login would be correct without having the correct password.
I haven't tried executing this vulnerability, so i would appreciate if you try to execute it in your system to tell me if it works or not.
To solve this, instead of using .format()
i recommend you using the following method:
query = "SELECT * from users where email = %s and password = %s "
cursor.execute(query, (email, password))
In this way, the user input wouldn't be interpreted as sql commands and your app would be safer.