SQL injection , use parameter
Question:
i have this SQL
default code is a string
cr.execute(
'''SELECT product FROM product_product
WHERE default_code = '%s' limit 1'''
% (default_code,)
)
and linter gets me an erro
E8103: SQL injection risk. Use parameters if you can.
same with other SQL
cr.execute(
f"SELECT id FROM product_supplierinfo"
f" WHERE product_tmpl_id = {str(product_tmpl)}"
f" AND name = {partner.id}"
)
Answers:
It is recommended to set the queries this way:
query = """Update employee set Salary = %s where id = %s"""
tuple1 = (8000, 5)
cursor.execute(query, tuple1)
More info here:
https://pynative.com/python-mysql-execute-parameterized-query-using-prepared-statement/
i have this SQL
default code is a string
cr.execute(
'''SELECT product FROM product_product
WHERE default_code = '%s' limit 1'''
% (default_code,)
)
and linter gets me an erro
E8103: SQL injection risk. Use parameters if you can.
same with other SQL
cr.execute(
f"SELECT id FROM product_supplierinfo"
f" WHERE product_tmpl_id = {str(product_tmpl)}"
f" AND name = {partner.id}"
)
It is recommended to set the queries this way:
query = """Update employee set Salary = %s where id = %s"""
tuple1 = (8000, 5)
cursor.execute(query, tuple1)
More info here:
https://pynative.com/python-mysql-execute-parameterized-query-using-prepared-statement/