3

I have the following code in python which is working fine:

import mysql.connector

mydb = mysql.connector.connect(
    host="some_ip",
    port=3306,
    username="testuser",
    passwd="MyPassword",
    database="tested"
)

mycursor = mydb.cursor()
sql = "INSERT INTO test_table(email, type, created_d)VALUES(%s,%s,%s)"
val = (email,1,today)
mycursor.execute(sql,val)
mydb.commit()

Currently, the variable email is a user input. Is there any risk of SQL injection based on user input? If so, what are my choices of preventing SQL injection?

Improve this question
2
  • I'd be loathe to say "no" with absolute certainty, but what you have is the standard approach for parameterized queries to escape user input and prevent injection Commented Feb 4, 2020 at 18:12
  • Yes, that's the proper way to do parameters in Python. Python has no support for "server-side" SQL parameters (that is, prepare with placeholders, then send the values separately at execute time). Python only does string interpolation, before preparing the query. But the method you show is as safe as you can get with Python. Commented Feb 4, 2020 at 23:52
Related questions
13111
What does the "yield" keyword do in Python?
2769
How can I prevent SQL injection in PHP?
8114
Does Python have a ternary conditional operator?
Load 7 more related questions Show fewer related questions

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.