File tree Expand file tree Collapse file tree 1 file changed +10
-6
lines changed Expand file tree Collapse file tree 1 file changed +10
-6
lines changed Original file line number Diff line number Diff line change @@ -1813,12 +1813,16 @@ How to use placeholders to bind values in SQL queries
18131813
18141814SQL operations usually need to use values from Python variables. However,
18151815beware of using Python's string operations to assemble queries, as they
1816- are vulnerable to `SQL injection attacks `_ (see the `xkcd webcomic
1817- <https://xkcd.com/327/> `_ for a humorous example of what can go wrong)::
1818-
1819- # Never do this -- insecure!
1820- symbol = 'RHAT'
1821- cur.execute("SELECT * FROM stocks WHERE symbol = '%s'" % symbol)
1816+ are vulnerable to `SQL injection attacks `_. For example, an attacker can simply
1817+ close the single quote and inject ``OR TRUE `` to select all rows::
1818+
1819+ >>> # Never do this -- insecure!
1820+ >>> symbol = input()
1821+ ' OR TRUE; --
1822+ >>> sql = "SELECT * FROM stocks WHERE symbol = '%s'" % symbol
1823+ >>> print(sql)
1824+ SELECT * FROM stocks WHERE symbol = '' OR TRUE; --'
1825+ >>> cur.execute(sql)
18221826
18231827Instead, use the DB-API's parameter substitution. To insert a variable into a
18241828query string, use a placeholder in the string, and substitute the actual values
You can’t perform that action at this time.
0 commit comments