St123
Reputation: 84
Will this code prevent SQL injection (Python)
Please let me know will following codes 100% prevent SQL injection in python
Sample1
username = request.GET('username') # non-filtered user input
connection.execute("SELECT id,name,email FROM user WHERE username=%s LIMIT 1", (username,))
Sample2
username = request.POST('username') # non-filtered user input
name = request.POST('name') # non-filtered user input
email = request.POST('email') # non-filtered user input
connection.execute("UPDATE user SET name=%s, email= %s WHERE username=%s LIMIT 1", (name, email, username,))
Upvotes: 1
Views: 4475
Answers (1)
mhlester
Reputation: 23231
The concept of the %s is to isolate the data from the query. When you pass two arguments, they are combined in the module. It is intended to mitigate injection, but I'd be hesitant to say "100%"
Edit: many wiser than myself (maybe even real life security experts!) have weighed in here: https://security.stackexchange.com/questions/15214/are-prepared-statements-100-safe-against-sql-injection
Upvotes: 3
Related Questions
- Protecting against SQL injection in python
- Python/ SQL Statement - Use of parameters / injection protection?
- How to avoid SQL injection on query
- Is this python/mysql query susceptible to SQL injection
- SQL Injection Prevention in Python - is using parameterized query enough?
- Python SQL Injection safe
- Python MySQLdb prevent SQL injection - not working as expected
- Saving to database to prevent SQL injection in Python
- Is this Python code vulnerable to SQL injection? (SQLite3)
- Parameterized sql queries and safety