[Tutor] [OT] Secure coding guidelines
Serdar Tumgoren
zstumgoren at gmail.com
Tue Oct 13 17:49:18 CEST 2009
> In reference to this tip, my question is why?
> - don't use string formatting to create SQL statements - use the
> two-argument form of execute() to pass args as a sequence
>
SQL injection is the primary reason:
http://en.wikipedia.org/wiki/SQL_injection
If you are going to "manually" hit a database by constructing your own
SQL calls, it's generally safer to pass in a tuple of parameters. The
below is an excerpt from the Python Docs for sqlite3:
http://docs.python.org/library/sqlite3.html
<<excerpt>>
Usually your SQL operations will need to use values from Python
variables. You shouldn’t assemble your query using Python’s string
operations because doing so is insecure; it makes your program
vulnerable to an SQL injection attack.
Instead, use the DB-API’s parameter substitution. Put ? as a
placeholder wherever you want to use a value, and then provide a tuple
of values as the second argument to the cursor’s execute() method.
(Other database modules may use a different placeholder, such as %s or
:1.) For example:
# Never do this -- insecure!
symbol = 'IBM'
c.execute("... where symbol = '%s'" % symbol)
# Do this instead
t = (symbol,)
c.execute('select * from stocks where symbol=?', t)
# Larger example
for t in [('2006-03-28', 'BUY', 'IBM', 1000, 45.00),
('2006-04-05', 'BUY', 'MSOFT', 1000, 72.00),
('2006-04-06', 'SELL', 'IBM', 500, 53.00),
]:
c.execute('insert into stocks values (?,?,?,?,?)', t)
<</excerpt>>
You're other option is to use some type of object relational mapper,
such as SQL Alchemy or Django's ORM, to hit the database. You use that
language's database-query language, which in turn constructs the SQL
calls for you in a (hopefully) safe manner.
More information about the Tutor
mailing list