[Tutor] SQLite, Python and SQL injection attacks

Alan Gauld alan.gauld at btinternet.com
Fri Aug 14 21:44:58 CEST 2015

On 14/08/15 19:40, boB Stepp wrote:

> "Instead, use the DB-API’s parameter substitution. Put ? as a
> placeholder wherever you want to use a value, and then provide a tuple
> of values as the second argument to the cursor’s execute() method..."

This is not a Sqlite issue its true of any database.

> I have to be honest -- I would have fallen into this potential trap

Me too, the first time I used a SQL database.
But it didn't take long before a more enlightened colleague
advised me of my ignorance! :-)

> I had not read this.  It is not clear to me yet how the recommendation
> avoids this issue.  Does the placeholder enforce some sort of type
> checking so that arbitrary SQL strings will be rejected?

Yes, it parses the inputs to detect potential issues,
such as rogue semi colons etc.

> Having seen this example, are there any other security surprises that
> I need to avoid by adopting certain coding techniques when I am using
> Python with SQLite?

As I say, it's not just SQLite, its any database.

And the same is true of handling URLs etc you should always
use library parsing and escaping routines to build them.
Especially when inserting data from users or received
data files.

Alan G
Author of the Learn to Program web site
Follow my photo-blog on Flickr at:

More information about the Tutor mailing list