File tree Expand file tree Collapse file tree 1 file changed +10
-6
lines changed Expand file tree Collapse file tree 1 file changed +10
-6
lines changed Original file line number Diff line number Diff line change @@ -1427,12 +1427,16 @@ How to use placeholders to bind values in SQL queries
14271427
14281428SQL operations usually need to use values from Python variables. However,
14291429beware of using Python's string operations to assemble queries, as they
1430- are vulnerable to `SQL injection attacks `_ (see the `xkcd webcomic
1431- <https://xkcd.com/327/> `_ for a humorous example of what can go wrong)::
1432-
1433- # Never do this -- insecure!
1434- symbol = 'RHAT'
1435- cur.execute("SELECT * FROM stocks WHERE symbol = '%s'" % symbol)
1430+ are vulnerable to `SQL injection attacks `_. For example, an attacker can simply
1431+ close the single quote and inject ``OR TRUE `` to select all rows::
1432+
1433+ >>> # Never do this -- insecure!
1434+ >>> symbol = input()
1435+ ' OR TRUE; --
1436+ >>> sql = "SELECT * FROM stocks WHERE symbol = '%s'" % symbol
1437+ >>> print(sql)
1438+ SELECT * FROM stocks WHERE symbol = '' OR TRUE; --'
1439+ >>> cur.execute(sql)
14361440
14371441Instead, use the DB-API's parameter substitution. To insert a variable into a
14381442query string, use a placeholder in the string, and substitute the actual values
You can’t perform that action at this time.
0 commit comments