| Título | code-projects Contact Management System in Python unknown SQL Injection |
|---|
| Descrição | An SQL injection vulnerability exists in the Contact Management System (file Contact_Management/index.py) where a DELETE statement is constructed using Python string formatting with a value taken directly from the GUI selection. The code formats selecteditem[0] into the SQL command instead of using a parameterized query, which is an unsafe coding pattern. If an attacker can influence the mem_id value (for example by tampering with UI data or an input source that populates the tree), this may allow execution of unintended SQL statements against the local SQLite database, resulting in unauthorized data deletion, modification, or exposure. The application stores personal data (firstname, lastname, address, contact, etc.) in the local pythontut.db SQLite file, which increases the confidentiality and integrity impact if the database is manipulated or accessed.
Evidence (code excerpt):
index.pyLines 170-176
curItem = tree.focus() contents =(tree.item(curItem)) selecteditem = contents['values'] tree.delete(curItem) conn = sqlite3.connect("pythontut.db") cursor = conn.cursor() cursor.execute("DELETE FROM `member` WHERE `mem_id` = %d" % selecteditem[0])
Affected component: Contact_Management/index.py (DELETE path shown above).
Impact: unauthorized data deletion/modification and potential data disclosure of locally stored PII.
Severity: High. |
|---|
| Utilizador | imcoming (UID 95032) |
|---|
| Submissão | 30/01/2026 11h47 (há 3 meses) |
|---|
| Moderação | 07/02/2026 16h00 (8 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 344877 [code-projects Contact Management System 1.0 index.py selecteditem[0] Injeção SQL] |
|---|
| Pontos | 17 |
|---|