summaryrefslogtreecommitdiffstats
path: root/Doc/library
diff options
context:
space:
mode:
authorJia Junjie <62194633+jiajunjie@users.noreply.github.com>2022-12-08 20:37:08 (GMT)
committerGitHub <noreply@github.com>2022-12-08 20:37:08 (GMT)
commit41d4ac9da348ca33056e271d71588b2dc3a6d48d (patch)
tree342346be68130f0c8477d90b82abfb43ecf664f6 /Doc/library
parentcd67c1bb30eccd0c6fd1386405df225aed4c91a9 (diff)
downloadcpython-41d4ac9da348ca33056e271d71588b2dc3a6d48d.zip
cpython-41d4ac9da348ca33056e271d71588b2dc3a6d48d.tar.gz
cpython-41d4ac9da348ca33056e271d71588b2dc3a6d48d.tar.bz2
gh-96250: Improve sqlite3 injection attack example (#99270)
Co-authored-by: C.A.M. Gerlach <CAM.Gerlach@Gerlach.CAM> Co-authored-by: Erlend E. Aasland <erlend.aasland@protonmail.com>
Diffstat (limited to 'Doc/library')
-rw-r--r--Doc/library/sqlite3.rst16
1 files changed, 10 insertions, 6 deletions
diff --git a/Doc/library/sqlite3.rst b/Doc/library/sqlite3.rst
index 960f296..2b6387c 100644
--- a/Doc/library/sqlite3.rst
+++ b/Doc/library/sqlite3.rst
@@ -1929,12 +1929,16 @@ How to use placeholders to bind values in SQL queries
SQL operations usually need to use values from Python variables. However,
beware of using Python's string operations to assemble queries, as they
-are vulnerable to `SQL injection attacks`_ (see the `xkcd webcomic
-<https://xkcd.com/327/>`_ for a humorous example of what can go wrong)::
-
- # Never do this -- insecure!
- symbol = 'RHAT'
- cur.execute("SELECT * FROM stocks WHERE symbol = '%s'" % symbol)
+are vulnerable to `SQL injection attacks`_. For example, an attacker can simply
+close the single quote and inject ``OR TRUE`` to select all rows::
+
+ >>> # Never do this -- insecure!
+ >>> symbol = input()
+ ' OR TRUE; --
+ >>> sql = "SELECT * FROM stocks WHERE symbol = '%s'" % symbol
+ >>> print(sql)
+ SELECT * FROM stocks WHERE symbol = '' OR TRUE; --'
+ >>> cur.execute(sql)
Instead, use the DB-API's parameter substitution. To insert a variable into a
query string, use a placeholder in the string, and substitute the actual values