{ "cells": [ { "cell_type": "markdown", "metadata": { "deletable": true, "editable": true }, "source": [ "Beware of [SQL injection attacks](https://en.wikipedia.org/wiki/SQL_injection).\n", "\n", "See [Exploits of a Mom](https://xkcd.com/327/)." ] }, { "cell_type": "code", "execution_count": 1, "metadata": { "collapsed": false, "deletable": true, "editable": true }, "outputs": [ { "data": { "text/plain": [ "\"SELECT grade FROM stuff WHERE name = '%s';\"" ] }, "execution_count": 1, "metadata": {}, "output_type": "execute_result" } ], "source": [ "# Do not do this.\n", "# This sql template is vulnerable.\n", "\n", "sql = \"SELECT grade FROM stuff WHERE name = '%s';\"\n", "sql" ] }, { "cell_type": "code", "execution_count": 2, "metadata": { "collapsed": false, "deletable": true, "editable": true }, "outputs": [ { "data": { "text/plain": [ "\"SELECT grade FROM stuff WHERE name = 'John';\"" ] }, "execution_count": 2, "metadata": {}, "output_type": "execute_result" } ], "source": [ "# Things works ok with nice input.\n", "\n", "name = 'John'\n", "sql % name" ] }, { "cell_type": "code", "execution_count": 3, "metadata": { "collapsed": false, "deletable": true, "editable": true }, "outputs": [ { "data": { "text/plain": [ "\"SELECT grade FROM stuff WHERE name = 'Robert'; DROP TABLE students;SELECT 'foo';\"" ] }, "execution_count": 3, "metadata": {}, "output_type": "execute_result" } ], "source": [ "# Do not do this.\n", "# A malicious name can do bad things.\n", "\n", "name = '''Robert'; DROP TABLE students;SELECT 'foo'''\n", "sql % name" ] } ], "metadata": { "kernelspec": { "display_name": "Python 3", "language": "python", "name": "python3" }, "language_info": { "codemirror_mode": { "name": "ipython", "version": 3 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", "version": "3.6.0" } }, "nbformat": 4, "nbformat_minor": 2 }