Skip to content Skip to sidebar Skip to footer

Escaping Dynamic Sqlite Query?

I'm currently building SQL queries depending on input from the user. An example how this is done can be seen here: def generate_conditions(table_name,nameValues): sql = u''

Solution 1:

You have two options:

  1. Switch to using SQLAlchemy; it'll make generating dynamic SQL a lot more pythonic and ensures proper quoting.

  2. Since you cannot use parameters for table and column names, you'll still have to use string formatting to include these in the query. Your values on the other hand, should always be using SQL parameters, if only so the database can prepare the statement.

    It's not advisable to just interpolate table and column names taken straight from user input, it's far too easy to inject arbitrary SQL statements that way. Verify the table and column names against a list of such names you accept instead.

    So, to build on your example, I'd go in this direction:

    tables = {
        'e': ('unit1', 'unit2', ...),   # tablename: tuple of column names
    }
    
    defgenerate_conditions(table_name, nameValues):
        if table_name notin tables:
            raise ValueError('No such table %r' % table_name)
        sql = u""
        params = []
        for field in nameValues:
            if field notin tables[table_name]:
                raise ValueError('No such column %r' % field)
            sql += u" AND {0}.{1}=?".format(table_name, field)
            params.append(nameValues[field])
        return sql, params
    
    search_query = u"SELECT * FROM Enheter e LEFT OUTER JOIN Handelser h ON e.Id == h.Enhet WHERE 1=1"
    
    search_params = []
    if"Enhet"in args:
        sql, params = generate_conditions("e",args["Enhet"])
        search_query += sql
        search_params.extend(params)
    c.execute(search_query, search_params)
    

Post a Comment for "Escaping Dynamic Sqlite Query?"