Potential SQL Injection vulnerability

[Arian-Ott]

Zaber,

I have seen your repo listed in the GitHub education community exchange and I looked through some of your code.

Database-Swap/database_swap/adapters/mysql.py

Line 115 in 4dd1768

cursor.execute(f"SELECT COUNT(*) FROM {table_name}")

From what I see here is that you pass the table name directly from the input.

python -m database_swap.main test-connection --db-type sqlite --database "; DROP DATABASE;"

Inputs like those I described in the example command should either throw errors or be escaped.

Depending on the config file or migration file, unauthorised third parties who have access to the file could take down entire databases.

I would recommend using an ORM or sanitise the SQL statement before running it.

Best regards,
Arian