Is my code susceptible to SQL injection attack? [duplicate]
I have some code in Python that sets a char(80) value in an sqlite DB. The string is obtained directly from the user through a text input field and sent back to the server with a POST method in a JSON structure. On the server side I currently pass the string to a method calling the SQL UPDATE operation. It works, but I'm aware it is not safe at all. I expect that the client side is unsafe anyway, so any protection is to be put on the server side. What can I do to secure the UPDATE operation agains SQL injection ? A function that would "quote" the text so that it can't confuse the SQL parser is what I'm looking for. I expect such function exist but couldn't find it. Edit: Here is my current code setting the char field name label: def setLabel( self, userId, refId, label ): self._db.cursor().execute( """ UPDATE items SET label = ? WHERE userId IS ? AND refId IS ?""", ( label, userId, refId) ) self._db.commit()
From the documentation: con.execute("insert into person(firstname) values (?)", ("Joe",)) This escapes "Joe", so what you want is con.execute("insert into person(firstname) values (?)", (firstname_from_client,))
The DB-API's .execute() supports parameter substitution which will take care of escaping for you, its mentioned near the top of the docs; http://docs.python.org/library/sqlite3.html above Never do this -- insecure.
Noooo... USE BIND VARIABLES! That's what they're there for. See this Another name for the technique is parameterized sql (I think "bind variables" may be the name used with Oracle specifically).
Python compiled error with VC++ compiler under Win 7 64bits
How to deal with iteration/looping in Python behave or BDD Scenarios in general?
Error in Spark while declaring a UDF
uwsgi.is_connected() delay with nginx
Positioning of multiple stacked bar plot with pandas
xlwings UDFS: how to set PythonPath/ UDF_Modules correctly?
Python: Numpy Array : cant access/reference to a numpy array from another class
how to delete entire row in csv file and save changes on same file?
Load multiple Django environments in sequence
Chromedriver: How to disable Google Chrome Helper
Read an Image with the Headerpart
How to store the output of type function in python and use it in 'if' condition? [closed]
OpenCV-Python VideoCapture only loads part of video
make bouncing turtle with python
How to count rows that share a unique field in pandas
Why I take slises wrong? [closed]