(Jan-22-2020, 09:28 PM)Denni Wrote: Actually @buran your response shows that you are the one that is clueless passing a parameterized list (aka sting) inserting variables (that could be strings) is exactly the same as concatenating a string within a string and thus creates the same issue
import sqlite3
conn = sqlite3.connect('test.db')
c = conn.cursor()
# Create table
c.executescript('''DROP TABLE IF EXISTS bank; CREATE TABLE IF NOT EXISTS bank (name TEXT, amount INTEGER)''')
# Insert a row of data
c.execute("INSERT INTO bank VALUES (?, ?)" , ('JOHN DOE', 1000))
c.execute("INSERT INTO bank VALUES (?, ?)" , ('JANE DOE', '2000'))
c.execute("INSERT INTO bank VALUES (?, ?)" , ('Denni', '3000'))
# Save (commit) the changes
conn.commit()
user_input = '3' # normal user input, string
sql_injection = '3 or 1=1' # sql injection
print('Using parametrized statement')
print('\nnormal user input')
c.execute("SELECT * FROM bank WHERE ROWID = ?", (user_input,))
for row in c:
print(row)
print('\nsql injection')
c.execute("SELECT * FROM bank WHERE ROWID = ?", (sql_injection,))
for row in c:
print(row)
print('\n====================\nUsing concatenated statement')
print('\nnormal user input')
s = 'SELECT * FROM bank WHERE ROWID = ' + user_input
c.execute(s)
for row in c:
print(row)
print('\nsql injection')
s = 'SELECT * FROM bank WHERE ROWID = ' + sql_injection
c.execute(s)
for row in c:
print(row)
conn.close()Output:Using parametrized statement
normal user input
('Denni', 3000)
sql injection
====================
Using concatenated statement
normal user input
('Denni', 3000)
sql injection
('JOHN DOE', 1000)
('JANE DOE', 2000)
('Denni', 3000)
If you can't explain it to a six year old, you don't understand it yourself, Albert Einstein
How to Ask Questions The Smart Way: link and another link
Create MCV example
Debug small programs
How to Ask Questions The Smart Way: link and another link
Create MCV example
Debug small programs