- Python Basic Tutorial
- Python - Home
- Python - Overview
- Python - Environment Setup
- Python - Basic Syntax
- Python - Comments
- Python - Variables
- Python - Data Types
- Python - Operators
- Python - Decision Making
- Python - Loops
- Python - Numbers
- Python - Strings
- Python - Lists
- Python - Tuples
- Python - Dictionary
- Python - Date & Time
- Python - Functions
- Python - Modules
- Python - Files I/O
- Python - Exceptions
- Python Advanced Tutorial
- Python - Classes/Objects
- Python - Reg Expressions
- Python - CGI Programming
- Python - Database Access
- Python - Networking
- Python - Sending Email
- Python - Multithreading
- Python - XML Processing
- Python - GUI Programming
- Python - Further Extensions
What is SQL injection? How can you prevent it?
SQL injection is a web hacking technique. It is the code injection technique which inserts malicious code into your database and destroys the database. This is the insertion of malicious code via web page input.
The main cause of SQL injection is providing data smartly into the SQL query which manipulates the data inside our database.
Suppose we have a table with students data. Each student can view his own data using his student id. The SQL query is designed such that it takes the student id input from the student.
Now, the student can enter his student id as “12345 or 1=1”. This translates into the followinq query.
SELECT * FROM Students WHERE id==12345 or 1=1
Now, the above query will return records of other students as well because 1=1 is always true. Hence, the data is of other students is not safe and prone to misuse by the hackers.
The Mysql connector module has method to escape query values in order to prevent SQL injection. The query values can be escaped using the placeholder %s.
Suppose, we have a table named “MyTable”.
+----------+---------+-----------+------------+ | Name | Class | City | Marks | +----------+---------+-----------+------------+ | Karan | 4 | Amritsar | 95 | | Sahil | 6 | Amritsar | 93 | | Kriti | 3 | Batala | 88 | | Khushi | 9 | Delhi | 90 | | Kirat | 5 | Delhi | 85 | +----------+---------+-----------+------------+
import mysql.connector db=mysql.connector.connect(host="your host", user="your username", password="your password",database="database_name") cursor=db.cursor() query="SELECT * FROM Students WHERE Name=%s" name=("Karan",) cursor.execute(query,name) for row in myresult: print(row)
The above code shows the use of placeholders to escape query values.
(‘Karan’, 4, ‘Amritsar’ , 95)
- Related Articles
- What is Code Injection? (How it Works, How to Prevent)
- What is SQL Injection?
- What Is Doxing and How Can You Prevent It?
- Basic SQL Injection and Mitigation with Example
- What is Bloatware and how can you remove it?
- What is IUD? How does it prevent pregnancy?
- What is Bluesnarfing and how to prevent it?
- What is Harpooning? (How it Works, How to Prevent)
- What is spear phishing and how can you avoid it?
- What is an Enumeration Attack? How to Prevent It?
- What is Credential Stuffing? (How it Works, How to Prevent)
- What is Hacking and how is it performed? How to prevent hacking?
- What is Rogue Security Software? (Features, What It Does, How to Prevent)
- How can closures cause memory leak and how to prevent it?
- What is Heartbleed Bug? (How it Works, Vulnerable Devices, How to Prevent