mirror of
https://github.com/astral-sh/ruff.git
synced 2025-09-27 12:29:28 +00:00
23 lines
No EOL
858 B
Markdown
23 lines
No EOL
858 B
Markdown
# hardcoded-sql-expression (S608)
|
|
|
|
Derived from the **flake8-bandit** linter.
|
|
|
|
### What it does
|
|
Checks for strings that resemble SQL statements involved in some form
|
|
string building operation.
|
|
|
|
### Why is this bad?
|
|
SQL injection is a common attack vector for web applications. Directly
|
|
interpolating user input into SQL statements should always be avoided.
|
|
Instead, favor parameterized queries, in which the SQL statement is
|
|
provided separately from its parameters, as supported by `psycopg3`
|
|
and other database drivers and ORMs.
|
|
|
|
### Example
|
|
```python
|
|
query = "DELETE FROM foo WHERE id = '%s'" % identifier
|
|
```
|
|
|
|
### References
|
|
* [B608: Test for SQL injection](https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html)
|
|
* [psycopg3: Server-side binding](https://www.psycopg.org/psycopg3/docs/basic/from_pg2.html#server-side-binding) |