Oct-11-2022, 10:34 PM
Sanitization is hard. Anything short of perfect and you have a vulnerability (and/or you are risking mangling incoming data). What do you do when '*' or similar characters are valid input? Also it's difficult to prove after the fact that the job is sufficient. Placeholders/parameters are much simpler.
Not to say you shouldn't sanitize (that might well be necessary for all sorts of vulnerabilities beyond simple SQL injection). But relying on it when there are better alternatives isn't a good idea.
Don't write your own encryption. Don't rely on sanitization to avoid SQL injection. A (non python oriented) take on this is at https://kevinsmith.io/sanitize-your-inputs/.
See also https://cheatsheetseries.owasp.org/cheat...Sheet.html
Not to say you shouldn't sanitize (that might well be necessary for all sorts of vulnerabilities beyond simple SQL injection). But relying on it when there are better alternatives isn't a good idea.
Don't write your own encryption. Don't rely on sanitization to avoid SQL injection. A (non python oriented) take on this is at https://kevinsmith.io/sanitize-your-inputs/.
See also https://cheatsheetseries.owasp.org/cheat...Sheet.html
Quote:Defense Option 1: Prepared Statements (with Parameterized Queries)
The use of prepared statements with variable binding (aka parameterized queries) is how all developers should first be taught how to write database queries. They are simple to write, and easier to understand than dynamic queries. Parameterized queries force the developer to first define all the SQL code, and then pass in each parameter to the query later. This coding style allows the database to distinguish between code and data, regardless of what user input is supplied.
Prepared statements ensure that an attacker is not able to change the intent of a query, even if SQL commands are inserted by an attacker.