[Tutor] Python sqlite3 issue
Danny Yoo
dyoo at hashcollision.org
Mon Oct 20 19:32:12 CEST 2014
Hi Juan,
On Mon, Oct 20, 2014 at 10:04 AM, Juan Christian
<juan0christian at gmail.com> wrote:
> I have this code (http://pastebin.com/Q21vQdHZ):
>
> import sqlite3
[code cut]
> def insert_db(_id, url, author, message):
> db.execute("INSERT INTO TOPICS (ID, URL, AUTHOR, MESSAGE) VALUES ({},
> {}, {}, {})".format(_id, url, author, message))
[code cut]
Ah. Do not use normal string formatting when you're dealing with SQL.
In web programming, we can introduce script injection problems when we
use naive string concatenation. Unsurprisingly, the same class of
injection attack can be done in SQL when we use naive string
concatenation to build SQL statements. See:
http://xkcd.com/327/
I'm being serious! :P
Look for the concept of "prepared statements" or "parameter
substitution" or "placeholder" in the sqllite3 Python bindings: it
should let you safely construct the statement templates.
In the documentation here:
https://docs.python.org/2/library/sqlite3.html
search for the word "placeholder", and you should see the relevant material.
More information about the Tutor
mailing list