[Tutor] SQLite, Python and SQL injection attacks

boB Stepp robertvstepp at gmail.com
Fri Aug 14 20:40:56 CEST 2015

I was just looking at the sqlite3 docs at


and found the following cheery news:

"Usually your SQL operations will need to use values from Python
variables. You shouldn’t assemble your query using Python’s string
operations because doing so is insecure; it makes your program
vulnerable to an SQL injection attack ..."

There followed this recommendation:

"Instead, use the DB-API’s parameter substitution. Put ? as a
placeholder wherever you want to use a value, and then provide a tuple
of values as the second argument to the cursor’s execute() method..."

I have to be honest -- I would have fallen into this potential trap if
I had not read this.  It is not clear to me yet how the recommendation
avoids this issue.  Does the placeholder enforce some sort of type
checking so that arbitrary SQL strings will be rejected?

Having seen this example, are there any other security surprises that
I need to avoid by adopting certain coding techniques when I am using
Python with SQLite?


More information about the Tutor mailing list