python


Is my code susceptible to SQL injection attack? [duplicate]


I have some code in Python that sets a char(80) value in an sqlite DB.
The string is obtained directly from the user through a text input field and sent back to the server with a POST method in a JSON structure.
On the server side I currently pass the string to a method calling the SQL UPDATE operation.
It works, but I'm aware it is not safe at all.
I expect that the client side is unsafe anyway, so any protection is to be put on the server side. What can I do to secure the UPDATE operation agains SQL injection ?
A function that would "quote" the text so that it can't confuse the SQL parser is what I'm looking for. I expect such function exist but couldn't find it.
Edit:
Here is my current code setting the char field name label:
def setLabel( self, userId, refId, label ):
self._db.cursor().execute( """
UPDATE items SET label = ? WHERE userId IS ? AND refId IS ?""", ( label, userId, refId) )
self._db.commit()

From the documentation:
con.execute("insert into person(firstname) values (?)", ("Joe",))
This escapes "Joe", so what you want is
con.execute("insert into person(firstname) values (?)", (firstname_from_client,))

The DB-API's .execute() supports parameter substitution which will take care of escaping for you, its mentioned near the top of the docs; http://docs.python.org/library/sqlite3.html above Never do this -- insecure.

Noooo... USE BIND VARIABLES! That's what they're there for. See this
Another name for the technique is parameterized sql (I think "bind variables" may be the name used with Oracle specifically).


Related Links

Creating a “snake” counter
Upgrade Python 3.4.3 to Python 3.6.1 in Ubuntu 15.04(64 bit)
Unable to call a method within a schedule job
Python ModuleNotFoundError during gunicorn start
How to add ModelChoice field of django form in template
selenium css_selector struggle
How to sort the data by a keyword of a csv file in Python?
mouse move in python video game
Tensorflow Sampled Softmax Loss Correct Usage
Set cbar min and max for seaborn clustermap
Angle between planes algorithm is too slow
Python - Using .readlines() with .rstrip() and then store all words into a list
Python Decorator validation
Access request from the forms.Form to get data from dB related to user
In Pudb pressing q quits without giving the option to restart
Labels of the variables on the histogram

Categories

HOME
arrays
python
admin-on-rest
puzzle
angular-cli
amazon-swf
voip
bing
antivirus
firebase-app-indexing
visual-studio-2013
ocaml
laravel-5.3
wxwidgets
label
docker-swarm
command
rfc
terrain
google-classroom
spinnaker
xlsx
ctypes
public-key-encryption
lstm
derived
ms-access-2007
ng2-dragula
flexboxgrid
google-ima
prediction
azure-servicebus-queues
yosys
kong
upnp
vcard
xilinx-ise
autofill
bxslider
vegan
piecewise
transient
pace
pmwiki
codesys
dart-pub
xbim
html-agility-pack
pdftk
fastq
archer
recycle-bin
proof
pinvoke
crystal-reports-8.5
rpostgresql
pagefile
paas
jszip
teiid
visible
webkit2
freetype2
qregexp
pagekit
image-editing
elastix
logcat
asymptote
jenkins-scriptler
hornetq
lmfit
registrykey
stream-framework
ffserver
ubercart
isml
adodb
obfuscar
django-1.6
kraken.js
operations
cdata
jqmobi
javascriptmvc
client-side-scripting
fortran77
code-conversion
autostart
sunspot-rails
plone-funnelweb
redirectstandardoutput
caliper
point-sprites
separation-of-concerns
entity-framework-ctp5
shared-objects
dcpu-16
adobe-contribute
delegatecommand
communicationexception
graniteds
front-controller
code-design
soft-keyboard





Mobile Apps Dev
Database Users
javascript
java
csharp
php
android
MS Developer
developer works
python
ios
c
html
jquery
RDBMS discuss
Cloud Virtualization
Database Dev&Adm