Python MySQL statement to prevent SQL Injection

Asked Feb 04 '20 at 17:56

Active Feb 04 '20 at 18:09

Viewed 60 times

I have the following code in python which is working fine:

import mysql.connector

mydb = mysql.connector.connect(
    host="some_ip",
    port=3306,
    username="testuser",
    passwd="MyPassword",
    database="tested"
)

mycursor = mydb.cursor()
sql = "INSERT INTO test_table(email, type, created_d)VALUES(%s,%s,%s)"
val = (email,1,today)
mycursor.execute(sql,val)
mydb.commit()

Currently, the variable email is a user input. Is there any risk of SQL injection based on user input? If so, what are my choices of preventing SQL injection?

edited Feb 04 '20 at 18:09

asked Feb 04 '20 at 17:56

Stivan

1,128
1
15
24

I'd be loathe to say "no" with absolute certainty, but what you have is the standard approach for parameterized queries to escape user input and prevent injection – roganjosh Feb 04 '20 at 18:12
Yes, that's the proper way to do parameters in Python. Python has no support for "server-side" SQL parameters (that is, prepare with placeholders, then send the values separately at execute time). Python only does string interpolation, _before_ preparing the query. But the method you show is as safe as you can get with Python. – Bill Karwin Feb 04 '20 at 23:52

Python MySQL statement to prevent SQL Injection

0 Answers0