Skip to Main Content
SQL Antipatterns, Volume 1
book

SQL Antipatterns, Volume 1

by Bill Karwin
October 2022
Intermediate to advanced content levelIntermediate to advanced
380 pages
9h 35m
English
Pragmatic Bookshelf
Content preview from SQL Antipatterns, Volume 1

Solution: Trust No One

There is no single technique for securing your SQL code. You should learn all of the following techniques and use them in appropriate cases.

Filter Input

Instead of wondering whether some input contains harmful content, you should strip away any characters that aren’t valid for that input.

For example, if you need an integer, use a function like int() for simple cases like numbers:

 def​ ​get_products​():
  bugid = int(request.args.get(​"bugid"​))
 
 # SAFE!
  sql = f​"SELECT * FROM Bugs WHERE bug_id = {bugid}"
 
  cursor.execute(sql)
 return​ json.dumps(cursor.fetchall())

Another type of filtering is to use regular expressions to match safe substrings. If the input doesn’t match ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Start your free trial

You might also like

Learning SQL, 3rd Edition

Learning SQL, 3rd Edition

Alan Beaulieu
SQL Antipatterns

SQL Antipatterns

Bill Karwin
High Performance MySQL, 4th Edition

High Performance MySQL, 4th Edition

Silvia Botros, Jeremy Tinley
SQL Cookbook, 2nd Edition

SQL Cookbook, 2nd Edition

Anthony Molinaro, Robert de Graaf

Publisher Resources

ISBN: 9798888650011Errata Page