SQL Injection trouble SQLite Python -


how can correct code less vulnerable sql injection? sqlite3

audit((cursor, connection, 0),     "registeration error {0}".format(username))  sql="""insert activitylog(userid, activity, start, stop)      values({0}, '{1}', '{2}','{3}')     """.format(handle[2], activity, start, stop)

i suggest use parameter substitution built-in sqlite3 dbapi2.

con.execute('insert activitylog (userid, activity, start, stop) values (?, ?, ?,?)',(handle[2], activity, start, stop))

you can split onto multiple lines triple quote string literal have in code.


-

Popular posts from this blog