python


Is my code susceptible to SQL injection attack? [duplicate]


I have some code in Python that sets a char(80) value in an sqlite DB.
The string is obtained directly from the user through a text input field and sent back to the server with a POST method in a JSON structure.
On the server side I currently pass the string to a method calling the SQL UPDATE operation.
It works, but I'm aware it is not safe at all.
I expect that the client side is unsafe anyway, so any protection is to be put on the server side. What can I do to secure the UPDATE operation agains SQL injection ?
A function that would "quote" the text so that it can't confuse the SQL parser is what I'm looking for. I expect such function exist but couldn't find it.
Edit:
Here is my current code setting the char field name label:
def setLabel( self, userId, refId, label ):
self._db.cursor().execute( """
UPDATE items SET label = ? WHERE userId IS ? AND refId IS ?""", ( label, userId, refId) )
self._db.commit()
From the documentation:
con.execute("insert into person(firstname) values (?)", ("Joe",))
This escapes "Joe", so what you want is
con.execute("insert into person(firstname) values (?)", (firstname_from_client,))
The DB-API's .execute() supports parameter substitution which will take care of escaping for you, its mentioned near the top of the docs; http://docs.python.org/library/sqlite3.html above Never do this -- insecure.
Noooo... USE BIND VARIABLES! That's what they're there for. See this
Another name for the technique is parameterized sql (I think "bind variables" may be the name used with Oracle specifically).

Related Links

django - render any url with a different base template
Why isn't my django templating working?
python dictionary with one key and multiple values [closed]
Text Game - Morality Tracker/Global variable - Python
How do I initialize and fill a list of lists in Python?
How to get tkinter canvas to dynamically resize to window width?
Handling HTTP Query Parameters
Django-ratings error: “rating value must be a Rating instance, not '100”?
Unset layout from QWidget in pyside
plot gebco data in python basemap
Python MIMEText formatting
builtins.ValueError: 'e' is not in list
WTForms: two forms on the same page?
Celery: making a copy of a task
Filefields empty on POST submission using WTForms and Flask
How can I convert a byte array to an integer more elegantly in Python

Categories

HOME
jsf
ajax
cntk
shopify
dynamics-crm
websphere
filterrific
freepascal
amazon-product-api
heap-memory
apple-numbers
console
tizen-wearable-sdk
sequelize.js
google-spreadsheet-api
currency
google-classroom
unity2d
eclipse-cdt
powershell-v3.0
android-source
game-maker-studio-1.4
xlsx
flann
mongodb-query
typeahead
ejs
scala-native
jquery-terminal
primes
attask
thumbnails
mousewheel
apple-tv
apply
ghost-inspector
explode
piwik
spring-test
tflearn
myob
geopandas
image-quality
superagent
dhtmlx-scheduler
vegan
referenceerror
piecewise
nsurlconnection
gettext
large-data
pox
rider
haskell-pipes
agent
exiftool
g1gc
spring-bean
homekit
openweathermap
floor
walmart-electrode
chrome-remote-desktop
iron.io
sqldatareader
system.web.ui.webcontrols
backstop.js
debugdiag
angularjs-ng-pattern
post-processing
twgl.js
hyperthreading
mysqldumpslow
matcaffe
python-winshell
graphical-logo
criteria-api
sparse-file
web-component-tester
c++-actor-framework
lexicographic
moai
activity-streams
odftoolkit
adcolony
ogr2ogr
system.web
coin-flipping
wss
kraken.js
dbsetup
resource-files
svcutil.exe
lov
mimosa
exiv2
windows-mobile-6
sslexception
nscolor
backbone-relational
grunt-contrib-compass
pep8
fileconveyor
htmltextwriter
enumerators
wcf-web-api
xmlslurper
applicationcontext
concurrent-programming
makefile-project
emacs23
nemerle
cookieless
rubycas
windows-live-id
ihttphandler
quick-search
unreachable-code
file-encodings
code-design
act
method-signature
database-diagramming

Resources

Mobile Apps Dev
Database Users
javascript
java
csharp
php
android
MS Developer
developer works
python
ios
c
html
jquery
RDBMS discuss
Cloud Virtualization
Database Dev&Adm
javascript
java
csharp
php
python
android
jquery
ruby
ios
html
Mobile App
Mobile App
Mobile App