SQLite: prevent SQL injection
DON’T do this:
cmd = "update people set name='{0}' where id='{1}'".format(name, id) curs.execute(cmd)
DO this instead:
cmd = "update people set name=? where id=?" curs.execute(cmd, (name, id))
“If you are using MySQL or PostgreSQL, use %s (even for numbers and other non-string values!) and if you are using SQLite, use ?.”
Tip from here.
Categories: python
mysql, postgresql, sql injection, sqlite
how about using a good orm like sqlalchemy, or django orm?
It’s like shooting a sparrow with a cannon. I need sqlite for small scripts. Leave sqlalchemy and orm’s for large(r) projects.