Skip to content

read_sql should accept a sql_params parameter #10899

New issue
New issue
Closed
Closed
read_sql should accept a sql_params parameter#10899
Assignees
erichxchen
Labels
DocsIO SQLto_sql, read_sql, read_sql_querygood first issue
@s-celles

Description

@s-celles
s-celles
opened on Aug 24, 2015

Hello,

I wonder if current use of read_sql couldn't lead to SQL injection.

I read in https://docs.python.org/2/library/sqlite3.html

# Never do this -- insecure! symbol = 'RHAT' c.execute("SELECT * FROM stocks WHERE symbol = '%s'" % symbol) # Do this instead t = ('RHAT',) c.execute('SELECT * FROM stocks WHERE symbol=?', t) print c.fetchone() # Larger example that inserts many records at a time purchases = [('2006-03-28', 'BUY', 'IBM', 1000, 45.00), ('2006-04-05', 'BUY', 'MSFT', 1000, 72.00), ('2006-04-06', 'SELL', 'IBM', 500, 53.00), ] c.executemany('INSERT INTO stocks VALUES (?,?,?,?,?)', purchases)

Most of people will use

"SELECT * FROM stocks WHERE symbol = '%s'" % symbol

(or .format(...))

with read_sql

if symbol is an unsafe input it could lead some problems

http://xkcd.com/327/

Is it safe to do it here ?

Kind regards

Metadata

Metadata

Assignees

Labels

DocsIO SQLto_sql, read_sql, read_sql_querygood first issue

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions