mirror of
https://github.com/python/cpython.git
synced 2024-11-24 18:34:43 +08:00
gh-96250: Improve sqlite3 injection attack example (#99270)
Co-authored-by: C.A.M. Gerlach <CAM.Gerlach@Gerlach.CAM> Co-authored-by: Erlend E. Aasland <erlend.aasland@protonmail.com>
This commit is contained in:
parent
cd67c1bb30
commit
41d4ac9da3
@ -1929,12 +1929,16 @@ How to use placeholders to bind values in SQL queries
|
||||
|
||||
SQL operations usually need to use values from Python variables. However,
|
||||
beware of using Python's string operations to assemble queries, as they
|
||||
are vulnerable to `SQL injection attacks`_ (see the `xkcd webcomic
|
||||
<https://xkcd.com/327/>`_ for a humorous example of what can go wrong)::
|
||||
are vulnerable to `SQL injection attacks`_. For example, an attacker can simply
|
||||
close the single quote and inject ``OR TRUE`` to select all rows::
|
||||
|
||||
# Never do this -- insecure!
|
||||
symbol = 'RHAT'
|
||||
cur.execute("SELECT * FROM stocks WHERE symbol = '%s'" % symbol)
|
||||
>>> # Never do this -- insecure!
|
||||
>>> symbol = input()
|
||||
' OR TRUE; --
|
||||
>>> sql = "SELECT * FROM stocks WHERE symbol = '%s'" % symbol
|
||||
>>> print(sql)
|
||||
SELECT * FROM stocks WHERE symbol = '' OR TRUE; --'
|
||||
>>> cur.execute(sql)
|
||||
|
||||
Instead, use the DB-API's parameter substitution. To insert a variable into a
|
||||
query string, use a placeholder in the string, and substitute the actual values
|
||||
|
Loading…
Reference in New Issue
Block a user