Archive

Posts Tagged ‘sql injection’

SQLite: prevent SQL injection

December 31, 2012 2 comments

DON’T do this:

cmd = "update people set name='{0}' where id='{1}'".format(name, id)
curs.execute(cmd)

DO this instead:

cmd = "update people set name=? where id=?"
curs.execute(cmd, (name, id))

If you are using MySQL or PostgreSQL, use %s (even for numbers and other non-string values!) and if you are using SQLite, use ?.

Tip from here.

Categories: python Tags: , , ,
Design a site like this with WordPress.com
Get started