python


Is my code susceptible to SQL injection attack? [duplicate]


I have some code in Python that sets a char(80) value in an sqlite DB.
The string is obtained directly from the user through a text input field and sent back to the server with a POST method in a JSON structure.
On the server side I currently pass the string to a method calling the SQL UPDATE operation.
It works, but I'm aware it is not safe at all.
I expect that the client side is unsafe anyway, so any protection is to be put on the server side. What can I do to secure the UPDATE operation agains SQL injection ?
A function that would "quote" the text so that it can't confuse the SQL parser is what I'm looking for. I expect such function exist but couldn't find it.
Edit:
Here is my current code setting the char field name label:
def setLabel( self, userId, refId, label ):
self._db.cursor().execute( """
UPDATE items SET label = ? WHERE userId IS ? AND refId IS ?""", ( label, userId, refId) )
self._db.commit()
From the documentation:
con.execute("insert into person(firstname) values (?)", ("Joe",))
This escapes "Joe", so what you want is
con.execute("insert into person(firstname) values (?)", (firstname_from_client,))
The DB-API's .execute() supports parameter substitution which will take care of escaping for you, its mentioned near the top of the docs; http://docs.python.org/library/sqlite3.html above Never do this -- insecure.
Noooo... USE BIND VARIABLES! That's what they're there for. See this
Another name for the technique is parameterized sql (I think "bind variables" may be the name used with Oracle specifically).

Related Links

replace if else with a for loop
Panda3D - Setting date
decoding json in python
Python debugging, stop at particular output
Why an avi file can not be opened in OpenCV-Python
Can't compile msgpack Python extension under windows
Python sockets for a n-players game
HTMLParser or urllib2 unicode issue
How to stop PyCharm inserting spaces for fine alignment when reformating code?
Install NLTK with IronPyton for VS2012
pip install won't install on my machine
Integrating using scipy.integrate.simps
Problems with django and virtualenv
Returning when any Future in a list finishes
Python Django - matching query does not exist when using pk
R translation to Python

Categories

HOME
raspbian
translation
d
ruby-on-rails-3
travis-ci
i2c
openwrt
x-frame-options
simple-injector
multiple-monitors
python-unicode
off-canvas-menu
attask
plupload
tweets
prediction
servicemix
bootstrap-typeahead
fabric
system.data.sqlite
percentage
mapguide
ios-ui-automation
phpspreadsheet
superpowered
openpgp
honeysql
remote-server
geomesa
nodeclipse
bigcartel
swagger-editor
parent
linq-to-entities
html-agility-pack
rapidweaver
multi-agent
fedora20
hpcc
pycurl
mercury
date-range
nsfetchedresultscontrolle
libreadline
jackson-databind
anti-cheat
cctray
drf-nested-routers
application-loader
sem
anti-patterns
ffserver
digits
pylearn
mdm-zinc
sqoop2
rhel5
line-numbers
code-testing
jqmobi
fieldset
qsqltablemodel
fotoware
cosm
gdt
windows-phone-7-emulator
gjs
webkit-transform
squeel
open-graph-beta
querypath
sitemappath
revert
idictionary
code-design
dotproject

Resources

Mobile Apps Dev
Database Users
javascript
java
csharp
php
android
MS Developer
developer works
python
ios
c
html
jquery
RDBMS discuss
Cloud Virtualization
Database Dev&Adm
javascript
java
csharp
php
python
android
jquery
ruby
ios
html
Mobile App
Mobile App
Mobile App