0

I am building a link shortening service using Flask and SQLite. The shortening part is done , but I am having issues calling the actual URL from the SQLite db.

Here's my table:

CREATE TABLE WEB_URL(
        ID INTEGER PRIMARY KEY AUTOINCREMENT,
        URL TEXT ,
        S_URL TEXT ,
        COUNTER INT DEFAULT 0
        );

And the get redirect function is :

@app.route('/<short_url>')
def redirect(short_url):
    conn = sqlite3.connect('url.db')
    cursor = conn.cursor()
    select_row = '''
        SELECT URL FROM WEB_URL WHERE S_URL = %s
        '''%(short_url)
    result_cur = cursor.execute(select_row)
    try:
        redirect_url = result_cur.fetchnone()[0]
        conn.commit()
        conn.close()
        return redirect(redirect_url)   
    except Exception as e:
        error  = e 
        return render_template('index.html' , error = error)

It's throwing an operational error:

   result_cur = cursor.execute(select_row)
OperationalError: no such column: favicon.ico

Now I have never ever mentioned favicon.ico in my code. What am I doing wrong ? Thanks!

Padam Sethia
  • 115
  • 1
  • 12
  • 2
    `favicon.ico` is probably queried by the browser to your root address for displaying a small icon of your web link in the browser tab. To prevent this you need to sanitize the `short_url`. You must not assume that the client would always enter valid web address, It may inject some SQL program using this link as well. So make sure `short_url` is properly sanitized before querying data base – ZdaR Jun 23 '17 at 07:55
  • 2
    You have a huge SQL injection issue here; you should only ever use query parameters! `cursor.execute("SELECT URL FROM WEB_URL WHERE S_URL = ?", (short_url,))`. You do *not* need to commit the transaction either, you are not making any changes to your database (at least, not intentionally, but with that wide open SQL injection issue you never know). – Martijn Pieters Jun 23 '17 at 08:04
  • 1
    Your error message rendering actually tells an attacker how to adjust their injection attempts; I'd not expose that much information about your error to the requestor. – Martijn Pieters Jun 23 '17 at 08:04
  • I'll try the fix and let u guys know. , Thanks! – Padam Sethia Jun 23 '17 at 11:12

0 Answers0