first of im pretty new databases , started using python yesterday.
i started playing around sqlite3 module ( used sqlite prior via dbi in perl)
i stumbled across following example on official python sqlite documentation here
# never -- insecure! symbol = 'rhat' c.execute("select * stocks symbol = '%s'" % symbol) # instead t = ('rhat',) c.execute('select * stocks symbol=?', t) print c.fetchone() why first example insecure , second not?
lets have application stores documents , user can search database document name.
for work need input user , create query keyword/s
i dont why tuple should more "secure" string mean in both cases user input "xyz or 1=1" display every record.
i hope kind enough explain me. know obvious experience.
parameters not same simple string substitution; give values directly database without further interpretation:
>>> import sqlite3 >>> db=sqlite3.connect(":memory:") >>> db.execute("create table t(x)") >>> db.execute("insert t values('x'),('secret')") >>> db.execute("select * t x = '%s'" % ("x' or 1=1--",)).fetchall() [(u'x',), (u'secret',)] >>> db.execute("select * t x = ?", ("x' or 1=1--",)).fetchall() [] with parameter, same effect if value have been quoted correctly special characters (in case, where x = 'x'' or 1=1--').
Comments
Post a Comment