SQL injection

[frafra]

https://github.com/microsoft/aerial_wildlife_detection/blob/de150d03e267676876554f62188689cf4196f4bb/projectCreation/import_images.py#L80-L82

https://github.com/microsoft/aerial_wildlife_detection/blob/de150d03e267676876554f62188689cf4196f4bb/projectCreation/import_images.py#L90-L94

https://github.com/microsoft/aerial_wildlife_detection/blob/de150d03e267676876554f62188689cf4196f4bb/application.py#L69-L73

There are various examples of this in the source code.

[bkellenb]

Hello,

Thank you very much for raising these issues. As a matter of fact most of them are in legacy import and export scripts that are more or less replaced with browser functionality. I nonetheless replaced them in the latest commit on the current development branch ("aide_detectron2"), which is going to become the new master branch accordingly. All other locations should be SQL injection-proof as well.

The only exception is the setup/migrate_aide.py script, which would require too many formatting commands for each project. However, this script is only executed at the launch of AIDE and cannot be accessed from the Web server in any normal way.

FYI: the first two examples pose a risk to SQL injection; the third is the officially recommended way of using the psycopg2 library and involves automatic SQL injection prevention in the library itself (see documentation).