Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Sanitizing SQLite Input

Tags:

First of all Im pretty new to databases and i started using Python yesterday.

I started playing around with the sqlite3 module ( I used some Sqlite prior to this via DBI in Perl)

I stumbled across the following example on the official Python Sqlite Documentation here

# Never do this -- insecure!
symbol = 'RHAT'
c.execute("SELECT * FROM stocks WHERE symbol = '%s'" % symbol)

# Do this instead
t = ('RHAT',)
c.execute('SELECT * FROM stocks WHERE symbol=?', t)
print c.fetchone()

Why is the first example insecure and the second not?

Lets just say i have some application that stores documents and the user can search the database by the document name.

For this to work i would need an input from the user and then create a query with the keyword/s

I dont get why a tuple should now be more "secure" then a string i mean in both cases the user could input something like "xyz OR 1=1" to display every record.

I hope someone is kind enough to explain this to me. I know this is probably very obvious to someone with experience.

like image 394
Simerax Avatar asked Sep 10 '17 09:09

Simerax

People also ask

Why is it important to sanitize input before inserting it in your database?

Failure to sanitize inputs can lead to attackers including SQL code in form inputs so they can do any number of interesting things, ranging from deleting information from a database to injecting information.

How do you disinfect input in python?

To sanitize a string input which you want to store to the database (for example a customer name) you need either to escape it or plainly remove any quotes (', ") from it. This effectively prevents classical SQL injection which can happen if you are assembling an SQL query from strings passed by the user.

What is data sanitization for SQL queries?

Data sanitization is the process of removing all dangerous characters from an input string before passing it to the SQL engine. For exampl… Arguably, the best technique to protect against SQL injections is a method called prepared statements.

1 Answers

Parameters are not the same as simple string substitution; they give their values directly to the database without further interpretation:

>>> import sqlite3
>>> db=sqlite3.connect(":memory:")
>>> db.execute("CREATE TABLE t(x)")                 
>>> db.execute("INSERT INTO t VALUES('x'),('secret')")
>>> db.execute("SELECT * FROM t WHERE x = '%s'" % ("x' OR 1=1--",)).fetchall()
[(u'x',), (u'secret',)]
>>> db.execute("SELECT * FROM t WHERE x = ?",     ("x' OR 1=1--",)).fetchall()
[]

With a parameter, you get the same effect as if the value would have been quoted correctly for all special characters (in this case, WHERE x = 'x'' OR 1=1--').

like image 94
CL. Avatar answered Oct 11 '22 13:10

CL.
Sign in to Comment

Related questions

Cannot run migrations when postgres extension added in rails 5 application
How can I prevent a user using inspect element to enable a disabled element?
C# Compiler - Unassigned Field and Local Variable Initial Value
Sass &:not(:first-of-type) hides everything with the class
Perl comparison operator output
Chrome bug while using html5 video and fullpage.js. Any solution?
Is it a good practice to wrap Masstransit for CQRS implementation? [closed]
Docker-machine instance is not talking to outside world ( i.e Internet )
How do I get a React Native app to run properly on an iPad?
Python script for controlling ASCOM CCD camera?
ARIA Accessibility in Angular 2 and 4
Is it possible for a method in Java 8 to determine simply whether an Iterable<Integer> Object provides a PrimitiveIterator.OfInt iterator?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!