SQL injection prevent with python

Question

Hey i read all the guides there is with python and yet i couldnt find a solution for the next Query:

select * from known_table_name where id in (list)

list is a variable that holds = "1,2,3,56,7,8"

Does anyone knows how to secure it?

Does this answer your question? [imploding a list for use in a python MySQLDB IN clause](https://stackoverflow.com/questions/589284/imploding-a-list-for-use-in-a-python-mysqldb-in-clause) with [this top answer](https://stackoverflow.com/a/589416/2221001) — JNevill, Dec 14 '21 at 18:41

score 0 · Answer 1 · answered Dec 14 '21 at 18:43

0

There are various ways, including:

# SAFE EXAMPLES. DO THIS!
cursor.execute("SELECT admin FROM users WHERE username = %s'", (username, ));
cursor.execute("SELECT admin FROM users WHERE username = %(username)s", {'username': username});

Source: https://realpython.com/prevent-python-sql-injection/#exploiting-query-parameters-with-python-sql-injection

answered Dec 14 '21 at 18:43

Tom de Visser

1
1

I don't think this is answering the user's question, which is specifically how to safely use a list as a variable in a query. – Frank Yellin Dec 14 '21 at 19:10

SQL injection prevent with python

1 Answers1