Manual parameter substitution in sqlite3

Serhiy Storchaka storchaka at gmail.com
Wed Mar 1 15:36:34 EST 2017

• Previous message (by thread): Looking for documentation on how Python assigns to function parameters
• Next message (by thread): Manual parameter substitution in sqlite3
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

On 28.02.17 19:28, Skip Montanaro wrote:
> Most of the time (well, all the time if you're smart), you let the
> database adapter do parameter substitution for you to avoid SQL
> injection attacks (or stupid users). So:
>> curs.execute("select * from mumble where key = ?", (key,))
>> If you want to select from several possible keys, it would be nice to
> be able to do this:
>> curs.execute("select * from mumble where key in (?)", (keys,))
>> but that doesn't work. Instead, you need to do your own parameter
> substitution. The quick-and-insecure way to do this is:
>> curs.execute("select * from mumble where key in (%s)" %
> ",".join([repr(k) for k in keys]))
>> I'm pretty sure that's breakable.

 curs.execute("select * from mumble where %s" %
 " or ".join(["key = ?"] * len(keys)),
 *keys)

---

• Previous message (by thread): Looking for documentation on how Python assigns to function parameters
• Next message (by thread): Manual parameter substitution in sqlite3
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

More information about the Python-list mailing list