October 2022
Intermediate to advanced
380 pages
9h 35m
English
There is no single technique for securing your SQL code. You should learn all of the following techniques and use them in appropriate cases.
Instead of wondering whether some input contains harmful content, you should strip away any characters that aren’t valid for that input.
For example, if you need an integer, use a function like int() for simple cases like numbers:
| | def get_products(): |
| | bugid = int(request.args.get("bugid")) |
| | |
| | # SAFE! |
| | sql = f"SELECT * FROM Bugs WHERE bug_id = {bugid}" |
| | |
| | cursor.execute(sql) |
| | return json.dumps(cursor.fetchall()) |
Another type of filtering is to use regular expressions to match safe substrings. If the input doesn’t match ...