0
if search_string:
            keyword = search_string.replace("'", "")

So we have a search string, that we pass into query to db. For now it isn't protected at all and it's scary. How can i validate the string doesn't containt any of injections? If you know libraries or built in stuff to do this - please send me the names of it.

lazovikovartyom
  • 3
  • 2
  • Have a look at SQLAlchemy: https://www.sqlalchemy.org/ – Cow Aug 16 '22 at 10:14
  • https://bobby-tables.com/python – SuperStormer Aug 16 '22 at 10:17
  • This is not possible, injection is not an input-side problem. You need to encode and sanitize user input _when it is used somewhere_. Encode for html when put in html, encode for json when put in json, and "encode for sql" when put in sql, which actually means using proper query parameters instead of string concatenation (and not trying to encode yourself). This are just examples, it always must be encoded for the context it's used in. – Gabor Lengyel Aug 16 '22 at 13:31
  • 99% of questions about [tag:sql-injection] are correctly answered with: "use query parameters." – Bill Karwin Aug 17 '22 at 18:41

0 Answers0