Skip to content

Commit

Permalink
gh-96250: Improve sqlite3 injection attack example (GH-99270)
Browse files Browse the repository at this point in the history
(cherry picked from commit 41d4ac9)

Co-authored-by: Jia Junjie <62194633+jiajunjie@users.noreply.github.com>
Co-authored-by: C.A.M. Gerlach <CAM.Gerlach@Gerlach.CAM>
Co-authored-by: Erlend E. Aasland <erlend.aasland@protonmail.com>
  • Loading branch information
4 people authored Dec 8, 2022
1 parent 0e2c783 commit 8ef6045
Showing 1 changed file with 10 additions and 6 deletions.
16 changes: 10 additions & 6 deletions Doc/library/sqlite3.rst
Original file line number Diff line number Diff line change
Expand Up @@ -1427,12 +1427,16 @@ How to use placeholders to bind values in SQL queries

SQL operations usually need to use values from Python variables. However,
beware of using Python's string operations to assemble queries, as they
are vulnerable to `SQL injection attacks`_ (see the `xkcd webcomic
<https://xkcd.com/327/>`_ for a humorous example of what can go wrong)::

# Never do this -- insecure!
symbol = 'RHAT'
cur.execute("SELECT * FROM stocks WHERE symbol = '%s'" % symbol)
are vulnerable to `SQL injection attacks`_. For example, an attacker can simply
close the single quote and inject ``OR TRUE`` to select all rows::

>>> # Never do this -- insecure!
>>> symbol = input()
' OR TRUE; --
>>> sql = "SELECT * FROM stocks WHERE symbol = '%s'" % symbol
>>> print(sql)
SELECT * FROM stocks WHERE symbol = '' OR TRUE; --'
>>> cur.execute(sql)

Instead, use the DB-API's parameter substitution. To insert a variable into a
query string, use a placeholder in the string, and substitute the actual values
Expand Down

0 comments on commit 8ef6045

Please sign in to comment.