mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-11-04 03:44:55 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

gh-96250: Improve sqlite3 injection attack example (#99270)

Browse source 
Co-authored-by: C.A.M. Gerlach <CAM.Gerlach@Gerlach.CAM>
Co-authored-by: Erlend E. Aasland <erlend.aasland@protonmail.com>
This commit is contained in:
Jia Junjie 2022-12-09 04:37:08 +08:00 committed by GitHub
parent cd67c1bb30
commit 41d4ac9da3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

14
Doc/library/sqlite3.rst
View file

@ -1929,12 +1929,16 @@ How to use placeholders to bind values in SQL queries
SQL operations usually need to use values from Python variables. However, SQL operations usually need to use values from Python variables. However,
beware of using Python's string operations to assemble queries, as they beware of using Python's string operations to assemble queries, as they
are vulnerable to `SQL injection attacks`_ (see the `xkcd webcomic are vulnerable to `SQL injection attacks`_. For example, an attacker can simply
<https://xkcd.com/327/>`_ for a humorous example of what can go wrong):: close the single quote and inject ``OR TRUE`` to select all rows::
# Never do this -- insecure! >>> # Never do this -- insecure!
symbol = 'RHAT' >>> symbol = input()
cur.execute("SELECT * FROM stocks WHERE symbol = '%s'" % symbol) ' OR TRUE; --
>>> sql = "SELECT * FROM stocks WHERE symbol = '%s'" % symbol
>>> print(sql)
SELECT * FROM stocks WHERE symbol = '' OR TRUE; --'
>>> cur.execute(sql)
Instead, use the DB-API's parameter substitution. To insert a variable into a Instead, use the DB-API's parameter substitution. To insert a variable into a
query string, use a placeholder in the string, and substitute the actual values query string, use a placeholder in the string, and substitute the actual values