Python SQL Injection safe

Question

Short question: I want to make my code safer but in this line it crashes:

self.cursor.execute("SELECT device_name FROM device WHERE device_id = %s", self.device_id)

This is working fine, but not safe for injection attacks:

self.cursor.execute("SELECT device_name FROM device WHERE device_id = " + str(self.device_id))

I have no idea, whats wrong in the first line.

[...] raise errors.get_exception(packet)
mysql.connector.errors.ProgrammingError: 1064 (42000): Unknown error

Possible duplicate of [Protecting against SQL injection in python](https://stackoverflow.com/questions/10950362/protecting-against-sql-injection-in-python) — Sam M, Oct 14 '18 at 02:11
It should be `...execute('whatever %s', (param,))` not `...execute('whatever %s', param)`, i.e. `(param,)` not simply `param`. — Steffen Ullrich, Oct 14 '18 at 02:13

score 1 · Accepted Answer · answered Oct 14 '18 at 02:17

1

The second argument must be a collection (tuple, list or dict) of parameters.

self.cursor.execute("SELECT device_name FROM device WHERE device_id = %s", 
                    (self.device_id,))

answered Oct 14 '18 at 02:17

orangecat

1 Answers1