homepage

In the SQlite module documentation there a code section showing how to securely use the sqlite.execute method.
The problem with this code section is that just from a glance, without reading the paragraph before, or the comments in the section, users could use the insecure version.
It would be better if only a secure example would be in the code section.
https://docs.python.org/2/library/sqlite3.html
Section:
# Never do this -- insecure!
symbol = 'RHAT'
c.execute("SELECT * FROM stocks WHERE symbol = '%s'" % symbol)
# Do this instead
t = ('RHAT',)
c.execute('SELECT * FROM stocks WHERE symbol=?', t)
print c.fetchone()
# Larger example that inserts many records at a time
purchases = [('2006-03-28', 'BUY', 'IBM', 1000, 45.00),
 ('2006-04-05', 'BUY', 'MSFT', 1000, 72.00),
 ('2006-04-06', 'SELL', 'IBM', 500, 53.00),
 ]
c.executemany('INSERT INTO stocks VALUES (?,?,?,?,?)', purchases)

I think it is pretty hard to miss "Never do this" when reading the code section. That said, I don't have a strong objection to changing it.
I've reduced the versions field to those branches this might get changed in, as is our standard practice with the versions field. Nor is this a security issue in our usage of that type, so I've changed the type to behavior.

> I think it is pretty hard to miss "Never do this" when reading the code section.
I agree with David. However, I may be biased since I spend a lot of time reading docs.python.org :) Here is a patch that moves the insecure example to a separate code block.

Looking at this again, I think the current version of the documentation should stay as-is. Perhaps my patch can make the insecure example separated from the secure one, but I don't think it's worth to apply it.