0

I am a newbie to both python and sqlite, hence I need some expert or friendly advice on this. I am trying to capture tweets using Tweepy and store it in a SQLite database. Following is the code

stat = status.text
stat = stat.replace('\n','')
stat = stat.replace('\t','')
user_id = status.user.id_str
stat_id = status.id_str
create = str(status.created_at)
name = status.user.screen_name
data = (create, name, user_id, stat_id, stat)

c.execute("INSERT INTO tweetscapture (Date, ScreenName, UserID, TweetID, Text) values (?, ?, ?, ?, ?)", data)

Can someone please verify if it is vulnerable to SQL injection attack. The only data entry source into my database is twitter.

Barmar
  • 741,623
  • 53
  • 500
  • 612
Rohit Farmer
  • 319
  • 4
  • 15
  • this isn't enough information, how are the variables in data created? where does the information come from and how? – James Kent May 11 '17 at 10:51
  • 2
    @JamesKent Isn't this really just a question about whether `c.execute()` substitutes the parameters into the prepared statement safely? Why does it matter where the information came from? – Barmar May 11 '17 at 10:54
  • As stated in the linked question, using parameterized queries with `cursor.execute()` protects you from SQL injection. – Barmar May 11 '17 at 10:59
  • @Barmar thank you so much. I saw the other post earlier but just wasn't sure. It seems my code is safe. – Rohit Farmer May 11 '17 at 11:06
  • @Barmar true, my bad – James Kent May 11 '17 at 11:07

0 Answers0