1

I have an SQL query which is giving an error:

cur.execute("INSERT INTO `DB` (`ban`, `dntr`, `usrnm`, `id`, `dis`)  VALUES (1,0,?,?,?)",(param1,param2,param3,))

I don't want to use %s in query because it is prone to SQL injection and I am taking input from users.

Improve this question

1 Answer 1

Reset to default
2

mysqlclient uses %s as the placeholder (see the example in the docs).

Change your code to the following:

cur.execute("INSERT INTO `DB` (`ban`, `dntr`, `usrnm`, `id`, `dis`)  VALUES (1,0,%s,%s,%s)", (param1,param2,param3,))

You're right to be concerned about SQL injection, but the above is OK. You are still using execute with parameters, so they will be escaped.

The thing you shouldn't do is cur.execute(query % parameters, []). This is vulnerable to SQL injection.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Well i got SQLi in my DB by some attacker in this statement: await cur.execute("""UPDATE DB SET hwid=%s where discid=%s""",(nhwd,message.author.id)) Thats y i raised the issue.
That code shouldn't be vulnerable to SQL injection. I assumed you were using mysqlclient but I see you're using await. Perhaps you are mistaken that it was that query that was vulnerable, or perhaps there is a bug in the library you are using.
I am using aiomysql for MySQL DB using discord.py , in which they are adding and updating the UID by themselves. For example: $cmd 123 123 will be added to DB $updt 321 321 will be updated in place of 123
As I said, it looks like either you're mistaken and your attacker used a different query, or there's a bug in aiomysql (less likely in my opinion).

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.