3

I have the following python code:

row = conn.execute('''SELECT admin FROM account WHERE password = ?''',
(request.headers.get('X-Admin-Pass'),)).fetchone()

My question is whether this code is secure for SQL injection? Since I use parameterized query it should be. However, since I am passing user information straight from the header, I am a little worried :)

Any thoughts about the issue?

Improve this question
2
  • Which SQL library are you using? Commented Mar 22, 2011 at 17:26
  • Let's just hope that this is an example code where you put the part you are hashing the password out. Commented Sep 13, 2019 at 20:15

2 Answers 2

Reset to default
2

The way that you are inserting the data into the database will ensure that an SQL attack will not work, the execute method will automatically escape the parameters that you passed as a tuple as its second parameter to the query.

You are doing that correctly.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

If your module uses the DBI specs, then you're parameterizing fine. Unless you want to do research into preventing specific SQL attacks, paramterizing your queries is a good umbrella against SQL injection.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.