SQL Injection Prevention in Python - is it enough to use a parameterized query?

Question

SQL Injection Prevention in Python - is it enough to use a parameterized query?

I have the following python code:

row = conn.execute('''SELECT admin FROM account WHERE password = ?''',
(request.headers.get('X-Admin-Pass'),)).fetchone()

My question is: is this code safe for SQL injection? Since I am using a parameterized query, it should be. However, since I am passing user information directly from the header, I am a little worried :)

Any thoughts on the issue?

+3

python sql injection

oldbam Mar 22 '11 at 17:22

source share

2 answers

DBI, . SQL-, SQL-.

+1

krs1 22 . '11 17:33

Dominic santos · Accepted Answer · 2011-03-22T17:29:13+0000

The way you insert data into the database ensures that the SQL attack will not work, the execute method will automatically delete the parameters that you passed as a tuple as the second query parameter.

You are doing it right.

SQL Injection Prevention in Python - is it enough to use a parameterized query?

More articles: