Is it possible SQL injection in flask-sqlalchemy?

Question

I have the code below in flask using SQLAlchemy and marshmallow:

def search(category_name, version):
    library = Library.query.filter(Library.category == category_name).filter(Library.subversion == version).all()

    library_schema = LibrarySchema(many=True)
    data = library_schema.dump(library)
    return data

How can I be sure the code is not vulnerable to SQL injection?

score 0 · Answer 1 · answered Dec 02 '19 at 16:09

0

The quickest way to be check if you're vulnerable is to send "X' OR '1' = '1'--" as category_name / version to that function and see what happens.

In other words, perform the sql injection yourself.

answered Dec 02 '19 at 16:09

c8999c 3f964f64

1,430
1
12
25

Is it possible SQL injection in flask-sqlalchemy?

1 Answers1