@buran that is true we were supposed to be discussing that code snippet and again this piece of code you give has exactly the same issue with injection attacks as the one I gave but yours does not allow for easy validation of the SQL statement prior to using it where mine does.
Further I do mine the way I do based on how I have set up my MVC Database Class handler where the SQL statement to be used is a Class Variable that gets built by the stored procedure and the SELECT, INSERT, DELETE, UPDATE all get handled by 2 generic database calls
Okay now on to explaining what buran means by injection attacks since buran chose not to explain it at all...
What are these vulnerabilities basically if coded properly and put into a variable that is getting concatenated to a SQL statement without prior validation one could input a SQL Query that did many things such as send the entire contents of you database to a remote location. Or completely delete permanently the entire contents of your database or insert a trigger that secretly sends all data activity to some remote location and the list goes on. So when receiving data from a user or any other external source is it extremely important to validate that data prior to allow it to be used. This of course should actually occur at the point of reception which makes those inline get calls (above) twice as dangerous since they leave no room for validation.
c.execute("INSERT INTO Expense_Data.db VALUES (?, ?, ?, ?)", (l1.get(), l2.get(), l3.get(), l4.get()))Further I do mine the way I do based on how I have set up my MVC Database Class handler where the SQL statement to be used is a Class Variable that gets built by the stored procedure and the SELECT, INSERT, DELETE, UPDATE all get handled by 2 generic database calls
Okay now on to explaining what buran means by injection attacks since buran chose not to explain it at all...
Quote:Attackers can use SQL Injection vulnerabilities to bypass application security measures. They can go around authentication and authorization of a web page or web application and retrieve the content of the entire SQL database. They can also use SQL Injection to add, modify, and delete records in the database.
What are these vulnerabilities basically if coded properly and put into a variable that is getting concatenated to a SQL statement without prior validation one could input a SQL Query that did many things such as send the entire contents of you database to a remote location. Or completely delete permanently the entire contents of your database or insert a trigger that secretly sends all data activity to some remote location and the list goes on. So when receiving data from a user or any other external source is it extremely important to validate that data prior to allow it to be used. This of course should actually occur at the point of reception which makes those inline get calls (above) twice as dangerous since they leave no room for validation.