Hello -
This issue is specific to the workings of the dialect, in that it is
concatenating the URL components into a single string for the DBAPI
connect function. As ibm_db_sa is not part of SQLAlchemy, you'd need to
report this issue to them.
However, the same technique you refer to here
Hi,
I discovered an issue in db engine creation code.
when the code prepares the db connection string it fails to escape the
semicolon char. This makes it possible to inject arbitrary parameters in
the connection string.
Under some circumstances this can be a security issue.
PoC:
I created two
