-
-
Notifications
You must be signed in to change notification settings - Fork 32.1k
sqlite documentation bug #71904
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
In the SQlite module documentation there a code section showing how to securely use the sqlite.execute method. https://docs.python.org/2/library/sqlite3.html Section: # Do this instead
t = ('RHAT',)
c.execute('SELECT * FROM stocks WHERE symbol=?', t)
print c.fetchone()
# Larger example that inserts many records at a time
purchases = [('2006-03-28', 'BUY', 'IBM', 1000, 45.00),
('2006-04-05', 'BUY', 'MSFT', 1000, 72.00),
('2006-04-06', 'SELL', 'IBM', 500, 53.00),
]
c.executemany('INSERT INTO stocks VALUES (?,?,?,?,?)', purchases) |
I think it is pretty hard to miss "Never do this" when reading the code section. That said, I don't have a strong objection to changing it. I've reduced the versions field to those branches this might get changed in, as is our standard practice with the versions field. Nor is this a security issue in our usage of that type, so I've changed the type to behavior. |
I agree with David. However, I may be biased since I spend a lot of time reading docs.python.org :) Here is a patch that moves the insecure example to a separate code block. |
Looking at this again, I think the current version of the documentation should stay as-is. Perhaps my patch can make the insecure example separated from the secure one, but I don't think it's worth to apply it. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: