| タイトル | code-projects Contact Management System in Python unknown SQL Injection |
|---|
| 説明 | An SQL injection vulnerability exists in the Contact Management System (file Contact_Management/index.py) where a DELETE statement is constructed using Python string formatting with a value taken directly from the GUI selection. The code formats selecteditem[0] into the SQL command instead of using a parameterized query, which is an unsafe coding pattern. If an attacker can influence the mem_id value (for example by tampering with UI data or an input source that populates the tree), this may allow execution of unintended SQL statements against the local SQLite database, resulting in unauthorized data deletion, modification, or exposure. The application stores personal data (firstname, lastname, address, contact, etc.) in the local pythontut.db SQLite file, which increases the confidentiality and integrity impact if the database is manipulated or accessed.
Evidence (code excerpt):
index.pyLines 170-176
curItem = tree.focus() contents =(tree.item(curItem)) selecteditem = contents['values'] tree.delete(curItem) conn = sqlite3.connect("pythontut.db") cursor = conn.cursor() cursor.execute("DELETE FROM `member` WHERE `mem_id` = %d" % selecteditem[0])
Affected component: Contact_Management/index.py (DELETE path shown above).
Impact: unauthorized data deletion/modification and potential data disclosure of locally stored PII.
Severity: High. |
|---|
| ユーザー | imcoming (UID 95032) |
|---|
| 送信 | 2026年01月30日 11:47 (3 月 ago) |
|---|
| モデレーション | 2026年02月07日 16:00 (8 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 344877 [code-projects Contact Management System 1.0 index.py selecteditem[0] SQLインジェクション] |
|---|
| ポイント | 17 |
|---|