3

First, i'm very new to stack overflow (first question posted) and forums in general. In addition to this downfall, I'm also new to development and databases other than at a Systems Administration type level.

I see several questions about using variables in Python with the MySQLdb module on stackoverflow. Many of them have mention of SQL Injection code like this. The answer with 70 + upvotes gives you an example where % appears to be the deciding character in whether or not your code is susceptible to SQL Injection. My questions are:

  1. Do I understand correctly that the "" % (VAR) instead of "", (VAR) is what makes the difference ?

  2. If that is the case, then is this post also an example or is there something different with using the % to designate a table vs a clause ?

It is noteworthy to mention I've tried learning more about SQL Injection. Not sure if I'm too dense or the material is but i'm just not following. In this article by cisco I tried to follow, I find that there is no mention of a percent but instead they appear to be using ?. So if someone can point me to some "layman's" documentation I would appreciate that!

Community
  • 1
  • 1
NoPathInParticular
  • 363
  • 2
  • 9
  • SQL injection becomes possible as soon as you start integrating user input into your queries. This is [one of the most famous illustrations](http://stackoverflow.com/questions/332365/how-does-the-sql-injection-from-the-bobby-tables-xkcd-comic-work). [This reference question](http://stackoverflow.com/q/60174/1446005), although initially appying to PHP, also provide tons of valuable information on how to prevent this, regardless of the language. – RandomSeed Aug 03 '13 at 02:49
  • 1
    Check [this one](http://stackoverflow.com/q/1973/1446005) too. – RandomSeed Aug 03 '13 at 02:53
  • @RandomSeed thanks for the quick response. I will review your links but I believe that was the missing piece. With all of the reading I did, I failed to realize that it was user input. I've basically worried about the wrong thing since mine isn't based on user input. However, now that I know more about it, i'm very interested. – NoPathInParticular Aug 03 '13 at 04:09
  • Sufficient time has now passed for you to add your self-answer as an actual answer. Please do so, using [the revision history of your question](http://stackoverflow.com/posts/18028576/revisions) if necessary to retrieve the text. – Air Apr 10 '15 at 23:17

1 Answers1

1

RandomSeed posted the correct answer to my question so I'll repost:

SQL injection becomes possible as soon as you start integrating user input into your queries. This is one of the most famous illustrations. This reference question, although initially appying to PHP, also provide tons of valuable information on how to prevent this, regardless of the language

NoPathInParticular
  • 363
  • 2
  • 9