(Jan-22-2020, 09:28 PM)Denni Wrote: Actually @buran your response shows that you are the one that is clueless passing a parameterized list (aka sting) inserting variables (that could be strings) is exactly the same as concatenating a string within a string and thus creates the same issue
import sqlite3 conn = sqlite3.connect('test.db') c = conn.cursor() # Create table c.executescript('''DROP TABLE IF EXISTS bank; CREATE TABLE IF NOT EXISTS bank (name TEXT, amount INTEGER)''') # Insert a row of data c.execute("INSERT INTO bank VALUES (?, ?)" , ('JOHN DOE', 1000)) c.execute("INSERT INTO bank VALUES (?, ?)" , ('JANE DOE', '2000')) c.execute("INSERT INTO bank VALUES (?, ?)" , ('Denni', '3000')) # Save (commit) the changes conn.commit() user_input = '3' # normal user input, string sql_injection = '3 or 1=1' # sql injection print('Using parametrized statement') print('\nnormal user input') c.execute("SELECT * FROM bank WHERE ROWID = ?", (user_input,)) for row in c: print(row) print('\nsql injection') c.execute("SELECT * FROM bank WHERE ROWID = ?", (sql_injection,)) for row in c: print(row) print('\n====================\nUsing concatenated statement') print('\nnormal user input') s = 'SELECT * FROM bank WHERE ROWID = ' + user_input c.execute(s) for row in c: print(row) print('\nsql injection') s = 'SELECT * FROM bank WHERE ROWID = ' + sql_injection c.execute(s) for row in c: print(row) conn.close()
Output:Using parametrized statement
normal user input
('Denni', 3000)
sql injection
====================
Using concatenated statement
normal user input
('Denni', 3000)
sql injection
('JOHN DOE', 1000)
('JANE DOE', 2000)
('Denni', 3000)
Do you still think it's the same?
If you can't explain it to a six year old, you don't understand it yourself, Albert Einstein
How to Ask Questions The Smart Way: link and another link
Create MCV example
Debug small programs
How to Ask Questions The Smart Way: link and another link
Create MCV example
Debug small programs