Injection Safe Parameterized Queries With Sqlite3 In Python

June 16, 2024 Post a Comment

I've been reading documentation for sqlite and found that many sources strongly recommend avoiding python string substitution in queries since it makes them vulnerable to injection

Solution 1:

You can use bind variables to parameterize values. You can't parameterize column names (or table names, or the names of other SQL objects).

Using untrusted data for these names would be innately insecure -- and moreover, making this possible would prevent up-front analysis (of which indexes can be used or otherwise how to efficiently execute a query), which is a non-security-related benefit of prepared statements.

Baca Juga

Transform Irregular Quadrilateral To Rectangle In Python Matplotlib
Creation Of Array Of Arrays Fails, When First Size Of First Dimension Matches
Discord.py: How Would You Restrict A Certain Command To A Role Or People With Specific Permissions?

Learn Python Tutorials

Injection Safe Parameterized Queries With Sqlite3 In Python

Solution 1:

Post a Comment for "Injection Safe Parameterized Queries With Sqlite3 In Python"