sql-injection

Will using F-strings to request data cause SQL injections?

Will using F-strings to request data cause SQL injections? Question: I’m unfamiliar with how injection attacks work. Will using f-strings in .execute() make me vulnerable to injection, if I only request data (not update/insert)? Similarly, let’s say I’m trying to edit a column. How can I put in my own variables through .execute() without an …

Total answers: 1

Parameter binding not working for SQLite PRAGMA table_info

Parameter binding not working for SQLite PRAGMA table_info Question: I am working with sqlite3 for Python. Why doesn’t work the parameter binding for the expression: self.cursor.execute(“PRAGMA table_info(?)”, table_name) as expected? For any other SELECT query it replaces my parameters as expected. I now used self.cursor.execute(“PRAGMA table_info(‘%s’)” % table_name) but this is not safe against SQL …

Total answers: 2

Confusion between prepared statement and parameterized query in Python

Confusion between prepared statement and parameterized query in Python Question: As far as I understand, prepared statements are (mainly) a database feature that allows you to separate parameters from the code that uses such parameters. Example: PREPARE fooplan (int, text, bool, numeric) AS INSERT INTO foo VALUES($1, $2, $3, $4); EXECUTE fooplan(1, ‘Hunter Valley’, ‘t’, …

Total answers: 4

Passing table name as a parameter in psycopg2

Passing table name as a parameter in psycopg2 Question: I have the following code, using pscyopg2: sql = ‘select %s from %s where utctime > %s and utctime < %s order by utctime asc;’ data = (dataItems, voyage, dateRangeLower, dateRangeUpper) rows = cur.mogrify(sql, data) This outputs: select ‘waterTemp, airTemp, utctime’ from ‘ss2012_t02’ where utctime > …

Total answers: 10

Python: best practice and securest way to connect to MySQL and execute queries

Python: best practice and securest way to connect to MySQL and execute queries Question: What is the safest way to run queries on MySQL? I am aware of the dangers involved with MySQL and SQL injection. However, I do not know how I should run my queries to prevent injection on the variables to which …

Total answers: 2

A good way to escape quotes in a database query string?

A good way to escape quotes in a database query string? Question: I’ve tried all manner of Python modules and they either escape too much or in the wrong way. What’s the best way you’ve found to escape quotes (“, ‘) in Python? Asked By: Jonathan Prior || Source Answers: If it’s part of a …

Total answers: 9