How to Prevent SQL Injection in Pyhton

How to Prevent SQL Injection in Pyhton

The Code is as follows:

c=db.cursor()max_price=5c.execute("""SELECT spam, eggs, sausage FROM breakfast          WHERE price < %s""", (max_price,))

Note that the separator between the preceding SQL string and the subsequent tuple is comma, And the spelling of SQL is %.

If you use the following statements, SQL injection is easily generated:

The Code is as follows:

c.execute("""SELECT spam, eggs, sausage FROM breakfast          WHERE price < %s""" % (max_price,))

This is similar to the PDO in PHP and works in the same way as MySQL Prepared Statements.

PythonUsing the Python DB API, don't do this:# Do NOT do it this way.

The Code is as follows:
Cmd = "update people set name = '% s' where id =' % S'" % (name, id) curs.exe cute (cmd)

Instead, do this:

The Code is as follows:
Cmd = "update people set name = % s where id = % s" curs.exe cute (cmd, (name, id ))

Note that the placeholder syntax depends on the database you are using.

The Code is as follows:

'qmark' Question mark style, e.g. '...WHERE name=?' 'numeric' Numeric, positional style, e.g. '...WHERE name=:1' 'named' Named style, e.g. '...WHERE name=:name' 'format' ANSI C printf format codes, e.g. '...WHERE name=%s' 'pyformat' Python extended format codes, e.g. '...WHERE name=%(name)s'

The values for the most common databases are:

The Code is as follows:

>>> import MySQLdb; print MySQLdb.paramstyle format >>> import psycopg2; print psycopg2.paramstyle pyformat >>> import sqlite3; print sqlite3.paramstyle qmark

So if you are using MySQL or PostgreSQL, use % s (even for numbers and other non-string values !) And if you are using SQLite use?