python


Is my code susceptible to SQL injection attack? [duplicate]


I have some code in Python that sets a char(80) value in an sqlite DB.
The string is obtained directly from the user through a text input field and sent back to the server with a POST method in a JSON structure.
On the server side I currently pass the string to a method calling the SQL UPDATE operation.
It works, but I'm aware it is not safe at all.
I expect that the client side is unsafe anyway, so any protection is to be put on the server side. What can I do to secure the UPDATE operation agains SQL injection ?
A function that would "quote" the text so that it can't confuse the SQL parser is what I'm looking for. I expect such function exist but couldn't find it.
Edit:
Here is my current code setting the char field name label:
def setLabel( self, userId, refId, label ):
self._db.cursor().execute( """
UPDATE items SET label = ? WHERE userId IS ? AND refId IS ?""", ( label, userId, refId) )
self._db.commit()
From the documentation:
con.execute("insert into person(firstname) values (?)", ("Joe",))
This escapes "Joe", so what you want is
con.execute("insert into person(firstname) values (?)", (firstname_from_client,))
The DB-API's .execute() supports parameter substitution which will take care of escaping for you, its mentioned near the top of the docs; http://docs.python.org/library/sqlite3.html above Never do this -- insecure.
Noooo... USE BIND VARIABLES! That's what they're there for. See this
Another name for the technique is parameterized sql (I think "bind variables" may be the name used with Oracle specifically).

Related Links

Histograms: “TypeError, list indices must be integers, not str”
Scipy fmin_slsqp error “failed in converting 8th argument `g' of _slsqp.slsqp to C/Fortran array”
SciPy: n-dimensional interpolation of sparse data
Write a program to display all the anagrams for “abcdef” in Python
Python prime numbers generators in terminal
Python Square function using newton's algorithm
Titles for elements in tkinter
Adding items to a list if it's not a function
Selenium (python): can't switch to iframe (name is dynamically generated)
How to redirect printed value of python script to the linux terminal as a command
Selenuim webdriver fails without notice for ssl error
Unable to locate button element using selenium webdriver
Simple Image Deconvolution issue
In Python, what is the easiest way to add a list consisting of keyword pairs to a dictionary?
I can't find what's wrong with this circle bounce calculation in python
Determine Postgresql datatype for a variable in Ruby, Python, or C++?

Categories

HOME
cakephp-3.x
crystal-reports
pug
tinyos
facebook-graph-api
actionscript
computer-vision
flyway
sequelize.js
currency
gimp
dropbox
camera-calibration
uiscrollview
game-physics
data-analysis
symfony2-easyadmin
dendrogram
zope
google-openid
tarantool
bcrypt
hash-collision
data-conversion
dhtmlx-scheduler
devforce
svnkit
construct-2
pyscripter
powershell-remoting
passenger
nunit-3.0
openshift-enterprise
socketpair
elfinder
meta-raspberrypi
s3cmd
viewgroup
homekit
scalafx
apiary
worker
w3-total-cache
timesten
range-v3
drawingarea
azureportal
httplib2
communication-protocol
pdfkit
createobject
sqldatareader
typhoon
cfeclipse
software-product-lines
slam-algorithm
django-filer
shipitjs
kendo-combobox
clob
fps
fortran90
code-readability
android-snackbar
programming-paradigms
calibration
subversion-edge
magento-1.12
client-side-validation
livechat
grunt-express
emma
android-looper
lumx
mbox
opensocial
initialization-vector
db4o
internal
modeshape
backbone-relational
soa-suite
transitive-closure-table
marmalade-edk
dropdownlistfor
attachevent
socketstream
selectonemenu
text-size
newsstand-kit
curljs
paintcomponent
for-xml-path
server-error
nagle
pureftpd
open-graph-beta
j-interop
unreachable-code
file-encodings
google-instant
idictionary
nt4
economics

Resources

Mobile Apps Dev
Database Users
javascript
java
csharp
php
android
MS Developer
developer works
python
ios
c
html
jquery
RDBMS discuss
Cloud Virtualization
Database Dev&Adm
javascript
java
csharp
php
python
android
jquery
ruby
ios
html
Mobile App
Mobile App
Mobile App