mirror of
https://github.com/astral-sh/ruff.git
synced 2025-09-27 12:29:28 +00:00
858 B
858 B
hardcoded-sql-expression (S608)
Derived from the flake8-bandit linter.
What it does
Checks for strings that resemble SQL statements involved in some form string building operation.
Why is this bad?
SQL injection is a common attack vector for web applications. Directly
interpolating user input into SQL statements should always be avoided.
Instead, favor parameterized queries, in which the SQL statement is
provided separately from its parameters, as supported by psycopg3
and other database drivers and ORMs.
Example
query = "DELETE FROM foo WHERE id = '%s'" % identifier