[docs] [issue27717] sqlite documentation bug
Eyal Mor
report at bugs.python.org
Tue Aug 9 08:29:35 EDT 2016
New submission from Eyal Mor:
In the SQlite module documentation there a code section showing how to securely use the sqlite.execute method.
The problem with this code section is that just from a glance, without reading the paragraph before, or the comments in the section, users could use the insecure version.
It would be better if only a secure example would be in the code section.
https://docs.python.org/2/library/sqlite3.html
Section:
# Never do this -- insecure!
symbol = 'RHAT'
c.execute("SELECT * FROM stocks WHERE symbol = '%s'" % symbol)
# Do this instead
t = ('RHAT',)
c.execute('SELECT * FROM stocks WHERE symbol=?', t)
print c.fetchone()
# Larger example that inserts many records at a time
purchases = [('2006-03-28', 'BUY', 'IBM', 1000, 45.00),
('2006-04-05', 'BUY', 'MSFT', 1000, 72.00),
('2006-04-06', 'SELL', 'IBM', 500, 53.00),
]
c.executemany('INSERT INTO stocks VALUES (?,?,?,?,?)', purchases)
----------
assignee: docs at python
components: Documentation
files: Screen Shot 2016-08-09 at 3.28.05 PM.png
messages: 272238
nosy: Eyal Mor, docs at python
priority: normal
severity: normal
status: open
title: sqlite documentation bug
type: security
versions: Python 2.7, Python 3.2, Python 3.3, Python 3.4, Python 3.5, Python 3.6
Added file: http://bugs.python.org/file44056/Screen Shot 2016-08-09 at 3.28.05 PM.png
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue27717>
_______________________________________
More information about the docs
mailing list