[Tutor] sqlite
Peter Otten
__peter__ at web.de
Sat May 14 03:21:28 EDT 2016
Alan Gauld via Tutor wrote:
> On 13/05/16 21:25, Neil D. Cerutti wrote:
>
>> From your tutorial:
>>
>> query = '''INSERT INTO Address
>> (First,Last,House,Street,District,Town,PostCode,Phone)
>> Values ("%s","%s","%s","%s","%s","%s","%s","%s")''' %\
>> (first, last, house, street, district, town, code, phone)
>>
>> I am not an expert on SQLite, but that doesn't appear to be a wise way
>> to call SQL from Python. Are the double-quotes enough to protect you
>> from malicious data?
>
> No, and if you carry on reading you will find:
>
> ------------------
> A Word about Security
>
> While the code above works and demonstrates how to call SQL from Python
> it does have one significant flaw. Because I used string formatting to
> construct the queries it is possible for a malicious user to enter some
> rogue SQL code as input. This rogue code then gets inserted into the
> query using the format string and is executed, potentially deleting
> vital data. To avoid that, the execute() API call has an extra trick up
> its sleeve....
>
> -------------
I have to say it: giving a newbie a bad idea plus broken example code -- and
then follow up with a warning will hardly ever work out the way you'd hope.
More information about the Tutor
mailing list