Backend Development
Python Tutorial
How can you prevent SQL injection vulnerabilities in your Python code?
How can you prevent SQL injection vulnerabilities in your Python code?
Using parameterized queries is the core method to prevent SQL injection in Python, and it is necessary to avoid direct splicing of user input. 1. Always use parameterized queries supported by database drivers, such as the placeholder mechanisms in sqlite3, psycopg2, and mysql-connector-python; 2. It is prohibited to construct SQL statements through string splicing or formatting (such as f-string, .format()); 3. Priority is given to the use of ORM libraries such as SQLAlchemy or Django ORM, which use parameterized queries by default; 4. Verification and filtering of user inputs as supplementary defenses, including type, length, and whitelist verification; 5. When dealing with dynamic table names or column names, the whitelist mechanism must be used to ensure that only predefined identifiers are allowed. As long as you always insist on parameterized queries and avoid directly embedding user input into SQL strings, you can effectively eliminate SQL injection vulnerabilities.
Preventing SQL injection vulnerabilities in Python comes down to one core principle: never trust user input when building SQL queries . The most effective way to protect your application is by avoiding string concatenation or formatting to include user data directly in SQL statements. Here's how to do it right.
Use Parameterized Queries (Prepared Statements)
The best and most reliable defense is to use parameterized queries with placeholders. This ensures that user input is treated strictly as data, not executable code.
Most Python database libraries support parameterized queries. For example, with sqlite3 :
import sqlite3
conn = sqlite3.connect("example.db")
cursor = conn.cursor()
# ✅ Safe: Using parameterized query
username = input("Enter username: ")
cursor.execute("SELECT * FROM users WHERE username = ?", (username,))
# ❌ Dangerous: Don't do this
# cursor.execute(f"SELECT * FROM users WHERE username = '{username}'") With psycopg2 (PostgreSQL):
import psycopg2
cursor.execute("SELECT * FROM users WHERE email = %s", (email,)) With MySQL using mysql-connector-python :
cursor.execute("SELECT * FROM users WHERE email = %s", (email,)) Always use the database driver's built-in parameterization — not Python string formatting like .format() , f-strings, or % .
Avoid Dynamic Query Building with User Input
Never build SQL queries by concatenating strings that include user-supplied data.
# ❌ Vulnerable to injection query = "SELECT * FROM users WHERE username = '" username "'" cursor.execute(query)
Even if you try to sanitize input yourself, you'll likely miss edge cases. Let the database driver handle it via parameters.
Use ORM Libraries When Possible
Object-Relational Mappers (ORMs) like SQLAlchemy or Django ORM automatically use parameterized queries under the hood, making it much harder to introduce SQL injection.
Example with SQLAlchemy:
from sqlalchemy.orm import sessionmaker Session = sessionmaker(bind=engine) session = Session() # ✅ Safe user = session.query(User).filter(User.username == username).first()
Example with Django:
User.objects.filter(username=request.GET['username'])
These frameworks abstract away raw SQL and enforce safe practices by default.
Validate and Sanitize Input (Defense in Depth)
While parameterized queries are the main line of defense, you should still validate input types, lengths, formats, and acceptable values where possible.
For example:
- Ensure an ID is numeric.
- Limit string lengths.
- Use allowlists for things like sort directions (
ASC/DESC) or table/column names if they must be dynamic.
But remember: input validation alone cannot stop SQL injection — it's a supplement, not a replacement for parameterization.
Handle Dynamic Table or Column Names Carefully
Sometimes you need to dynamically include table or column names (which can't be parameterized). In such cases:
- Use an allowlist of permitted identifiers.
- Never pass raw user input directly.
allowed_columns = {'name', 'email', 'created_at'}
if column not in allowed_columns:
raise ValueError("Invalid column name")
query = f"SELECT * FROM users ORDER BY {column}"
cursor.execute(query)This way, only pre-approved values are used.
Basically, stick to parameterized queries for all variable data, use ORMs when you can, and never embedded user input directly into SQL strings. It's not complex — just consistent.
The above is the detailed content of How can you prevent SQL injection vulnerabilities in your Python code?. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
What are common strategies for debugging a memory leak in Python?
Aug 06, 2025 pm 01:43 PM
Usetracemalloctotrackmemoryallocationsandidentifyhigh-memorylines;2.Monitorobjectcountswithgcandobjgraphtodetectgrowingobjecttypes;3.Inspectreferencecyclesandlong-livedreferencesusingobjgraph.show_backrefsandcheckforuncollectedcycles;4.Usememory_prof
How to automate data entry from Excel to a web form with Python?
Aug 12, 2025 am 02:39 AM
The method of filling Excel data into web forms using Python is: first use pandas to read Excel data, and then use Selenium to control the browser to automatically fill and submit the form; the specific steps include installing pandas, openpyxl and Selenium libraries, downloading the corresponding browser driver, using pandas to read Name, Email, Phone and other fields in the data.xlsx file, launching the browser through Selenium to open the target web page, locate the form elements and fill in the data line by line, using WebDriverWait to process dynamic loading content, add exception processing and delay to ensure stability, and finally submit the form and process all data lines in a loop.
What is sentiment analysis in cryptocurrency trading?
Aug 14, 2025 am 11:15 AM
Table of Contents What is sentiment analysis in cryptocurrency trading? Why sentiment analysis is important in cryptocurrency investment Key sources of emotion data a. Social media platform b. News media c. Tools for sentiment analysis and technology Commonly used tools in sentiment analysis: Techniques adopted: Integrate sentiment analysis into trading strategies How traders use it: Strategy example: Assuming BTC trading scenario scenario setting: Emotional signal: Trader interpretation: Decision: Results: Limitations and risks of sentiment analysis Using emotions for smarter cryptocurrency trading Understanding market sentiment is becoming increasingly important in cryptocurrency trading. A recent 2025 study by Hamid
How to implement a custom iterator within a Python class?
Aug 06, 2025 pm 01:17 PM
Define__iter__()toreturntheiteratorobject,typicallyselforaseparateiteratorinstance.2.Define__next__()toreturnthenextvalueandraiseStopIterationwhenexhausted.Tocreateareusablecustomiterator,managestatewithin__iter__()oruseaseparateiteratorclass,ensurin
How to pretty print a JSON file in Python?
Aug 07, 2025 pm 12:10 PM
To beautify and print JSON files, you need to use the indent parameters of the json module. The specific steps are: 1. Use json.load() to read the JSON file data; 2. Use json.dump() and set indent to 4 or 2 to write to a new file, and then the formatted JSON file can be generated and the beautified printing can be completed.
How to use enumerate to loop with an index in Python
Aug 11, 2025 pm 01:14 PM
When you need to traverse the sequence and access the index, you should use the enumerate() function. 1. enumerate() automatically provides the index and value, which is more concise than range(len(sequence)); 2. You can specify the starting index through the start parameter, such as start=1 to achieve 1-based count; 3. You can use it in combination with conditional logic, such as skipping the first item, limiting the number of loops or formatting the output; 4. Applicable to any iterable objects such as lists, strings, and tuples, and support element unpacking; 5. Improve code readability, avoid manually managing counters, and reduce errors.
How to copy files and directories from one location to another in Python
Aug 11, 2025 pm 06:11 PM
To copy files and directories, Python's shutil module provides an efficient and secure approach. 1. Use shutil.copy() or shutil.copy2() to copy a single file, which retains metadata; 2. Use shutil.copytree() to recursively copy the entire directory. The target directory cannot exist in advance, but the target can be allowed to exist through dirs_exist_ok=True (Python3.8); 3. You can filter specific files in combination with ignore parameters and shutil.ignore_patterns() or custom functions; 4. Copying directory only requires os.walk() and os.makedirs()
How to use Python for stock market analysis and prediction?
Aug 11, 2025 pm 06:56 PM
Python can be used for stock market analysis and prediction. The answer is yes. By using libraries such as yfinance, using pandas for data cleaning and feature engineering, combining matplotlib or seaborn for visual analysis, then using models such as ARIMA, random forest, XGBoost or LSTM to build a prediction system, and evaluating performance through backtesting. Finally, the application can be deployed with Flask or FastAPI, but attention should be paid to the uncertainty of market forecasts, overfitting risks and transaction costs, and success depends on data quality, model design and reasonable expectations.
