1

I am learning Database connection from MySQL Connector/Python Developer Guide.

This is the code I am using to insert data:

conn = mysql.connector.connect(user="user", password="password", host="127.0.0.1", database="db")
cursor = conn.cursor()
query = ("INSERT INTO test(name,email) VALUES(%s,%s)")
data = ("cool", "cool")
cursor.execute(query, data)
conn.commit()
cursor.close()
conn.close()

Is this type of data insertion safe and can stop sql injection?

gnat
20.5k29 gold badges117 silver badges308 bronze badges
asked Nov 14, 2014 at 17:03

1 Answer 1

2

Yes. According to the documentation, this is the correct syntax for specifying and executing a query with parameters. Parametrized queries are immune to SQL injection; SQL injection can only occur when you mix user input directly into the query string instead of separating it out.

answered Nov 14, 2014 at 17:08

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.