Protection from SQL injection

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;







up vote
1
down vote

favorite












I have this code, which is working correctly, but I am sure that it allows SQL injection attacks.



@app.route('/private/')
def private():
 login = request.args.get('login', default=None, type=str)

 if login is None:
 return jsonify(data='Incorrect URL')

 try:
 c, conn = cursor_connection()
 c = conn.cursor()
 c.execute("SELECT uid "
 "FROM logins_passwords "
 "WHERE login='' "
 "".format(login)
 )

 id = c.fetchall()
 if not id:
 return jsonify(data='Incorrect login')

 c.execute("SELECT mc_address "
 "FROM boxes_id "
 "WHERE uid='' "
 "".format(id[0][0])
 )
 mc_address = c.fetchall()[0][0]

 c.close()
 conn.close()
 except Exception as e:
 return str(e)

 return render_template(
 "private.html",
 id=mc_address
 )


Access is available by URL request. How can I protect it against SQL injection? If I'm right, I think that changing access method to POST can solve all problems with security here?



As far as I understand, in cases of only POST requests allowed, the attacker will have no ability to inject SQL request through a URL. How can it be possible to execute SQL requests than?




python python-2.7 sql-injection




share|improve this question





















  • Switching to POST will not protect against SQL attacks (and a whole range of other attacks).
    – Daniel
    Jan 13 at 13:40











  • Why not? Attacker will have no abillity to inject SQL request through URL, how can it be possible to execute SQL requests?
    – Ivan
    Jan 13 at 13:53






  • 1




    I don't think the code is working correctly. It is trivial to create a POST request to your server and setting "login" parameter to the value: " not a valid user' OR '1' = '1 " You MUST do either input sanitation or do a parameterized query.
    – JanErikGunnar
    Jan 13 at 17:03










  • Reading the query again, I realize that you were already aware of the vulnerability, I got confused because in my mind "working correctly" and "allows SQL injection attack" are mutually exclusive :) Though even disregarding security, it will fail if the user happens to have a username containing a single quote and some other characters. As mentioned, uou MUST do either input sanitation or do a parameterized query.
    – JanErikGunnar
    Jan 13 at 17:10











  • No problem:) Can you provide a simple example based on my code so I could realize how secure SQL request should look like..?
    – Ivan
    Jan 13 at 17:22
















up vote
1
down vote

favorite












I have this code, which is working correctly, but I am sure that it allows SQL injection attacks.



@app.route('/private/')
def private():
 login = request.args.get('login', default=None, type=str)

 if login is None:
 return jsonify(data='Incorrect URL')

 try:
 c, conn = cursor_connection()
 c = conn.cursor()
 c.execute("SELECT uid "
 "FROM logins_passwords "
 "WHERE login='' "
 "".format(login)
 )

 id = c.fetchall()
 if not id:
 return jsonify(data='Incorrect login')

 c.execute("SELECT mc_address "
 "FROM boxes_id "
 "WHERE uid='' "
 "".format(id[0][0])
 )
 mc_address = c.fetchall()[0][0]

 c.close()
 conn.close()
 except Exception as e:
 return str(e)

 return render_template(
 "private.html",
 id=mc_address
 )


Access is available by URL request. How can I protect it against SQL injection? If I'm right, I think that changing access method to POST can solve all problems with security here?



As far as I understand, in cases of only POST requests allowed, the attacker will have no ability to inject SQL request through a URL. How can it be possible to execute SQL requests than?




python python-2.7 sql-injection




share|improve this question





















  • Switching to POST will not protect against SQL attacks (and a whole range of other attacks).
    – Daniel
    Jan 13 at 13:40











  • Why not? Attacker will have no abillity to inject SQL request through URL, how can it be possible to execute SQL requests?
    – Ivan
    Jan 13 at 13:53






  • 1




    I don't think the code is working correctly. It is trivial to create a POST request to your server and setting "login" parameter to the value: " not a valid user' OR '1' = '1 " You MUST do either input sanitation or do a parameterized query.
    – JanErikGunnar
    Jan 13 at 17:03










  • Reading the query again, I realize that you were already aware of the vulnerability, I got confused because in my mind "working correctly" and "allows SQL injection attack" are mutually exclusive :) Though even disregarding security, it will fail if the user happens to have a username containing a single quote and some other characters. As mentioned, uou MUST do either input sanitation or do a parameterized query.
    – JanErikGunnar
    Jan 13 at 17:10











  • No problem:) Can you provide a simple example based on my code so I could realize how secure SQL request should look like..?
    – Ivan
    Jan 13 at 17:22












up vote
1
down vote

favorite









up vote
1
down vote

favorite











I have this code, which is working correctly, but I am sure that it allows SQL injection attacks.



@app.route('/private/')
def private():
 login = request.args.get('login', default=None, type=str)

 if login is None:
 return jsonify(data='Incorrect URL')

 try:
 c, conn = cursor_connection()
 c = conn.cursor()
 c.execute("SELECT uid "
 "FROM logins_passwords "
 "WHERE login='' "
 "".format(login)
 )

 id = c.fetchall()
 if not id:
 return jsonify(data='Incorrect login')

 c.execute("SELECT mc_address "
 "FROM boxes_id "
 "WHERE uid='' "
 "".format(id[0][0])
 )
 mc_address = c.fetchall()[0][0]

 c.close()
 conn.close()
 except Exception as e:
 return str(e)

 return render_template(
 "private.html",
 id=mc_address
 )


Access is available by URL request. How can I protect it against SQL injection? If I'm right, I think that changing access method to POST can solve all problems with security here?



As far as I understand, in cases of only POST requests allowed, the attacker will have no ability to inject SQL request through a URL. How can it be possible to execute SQL requests than?




python python-2.7 sql-injection




share|improve this question













I have this code, which is working correctly, but I am sure that it allows SQL injection attacks.



@app.route('/private/')
def private():
 login = request.args.get('login', default=None, type=str)

 if login is None:
 return jsonify(data='Incorrect URL')

 try:
 c, conn = cursor_connection()
 c = conn.cursor()
 c.execute("SELECT uid "
 "FROM logins_passwords "
 "WHERE login='' "
 "".format(login)
 )

 id = c.fetchall()
 if not id:
 return jsonify(data='Incorrect login')

 c.execute("SELECT mc_address "
 "FROM boxes_id "
 "WHERE uid='' "
 "".format(id[0][0])
 )
 mc_address = c.fetchall()[0][0]

 c.close()
 conn.close()
 except Exception as e:
 return str(e)

 return render_template(
 "private.html",
 id=mc_address
 )


Access is available by URL request. How can I protect it against SQL injection? If I'm right, I think that changing access method to POST can solve all problems with security here?



As far as I understand, in cases of only POST requests allowed, the attacker will have no ability to inject SQL request through a URL. How can it be possible to execute SQL requests than?





python python-2.7 sql-injection





share|improve this question












share|improve this question




share|improve this question








edited Jan 14 at 23:32









Jamal♦

30.1k11114225




30.1k11114225









asked Jan 13 at 11:32









Ivan

265




265











  • Switching to POST will not protect against SQL attacks (and a whole range of other attacks).
    – Daniel
    Jan 13 at 13:40











  • Why not? Attacker will have no abillity to inject SQL request through URL, how can it be possible to execute SQL requests?
    – Ivan
    Jan 13 at 13:53






  • 1




    I don't think the code is working correctly. It is trivial to create a POST request to your server and setting "login" parameter to the value: " not a valid user' OR '1' = '1 " You MUST do either input sanitation or do a parameterized query.
    – JanErikGunnar
    Jan 13 at 17:03










  • Reading the query again, I realize that you were already aware of the vulnerability, I got confused because in my mind "working correctly" and "allows SQL injection attack" are mutually exclusive :) Though even disregarding security, it will fail if the user happens to have a username containing a single quote and some other characters. As mentioned, uou MUST do either input sanitation or do a parameterized query.
    – JanErikGunnar
    Jan 13 at 17:10











  • No problem:) Can you provide a simple example based on my code so I could realize how secure SQL request should look like..?
    – Ivan
    Jan 13 at 17:22
















  • Switching to POST will not protect against SQL attacks (and a whole range of other attacks).
    – Daniel
    Jan 13 at 13:40











  • Why not? Attacker will have no abillity to inject SQL request through URL, how can it be possible to execute SQL requests?
    – Ivan
    Jan 13 at 13:53






  • 1




    I don't think the code is working correctly. It is trivial to create a POST request to your server and setting "login" parameter to the value: " not a valid user' OR '1' = '1 " You MUST do either input sanitation or do a parameterized query.
    – JanErikGunnar
    Jan 13 at 17:03










  • Reading the query again, I realize that you were already aware of the vulnerability, I got confused because in my mind "working correctly" and "allows SQL injection attack" are mutually exclusive :) Though even disregarding security, it will fail if the user happens to have a username containing a single quote and some other characters. As mentioned, uou MUST do either input sanitation or do a parameterized query.
    – JanErikGunnar
    Jan 13 at 17:10











  • No problem:) Can you provide a simple example based on my code so I could realize how secure SQL request should look like..?
    – Ivan
    Jan 13 at 17:22















Switching to POST will not protect against SQL attacks (and a whole range of other attacks).
– Daniel
Jan 13 at 13:40





Switching to POST will not protect against SQL attacks (and a whole range of other attacks).
– Daniel
Jan 13 at 13:40













Why not? Attacker will have no abillity to inject SQL request through URL, how can it be possible to execute SQL requests?
– Ivan
Jan 13 at 13:53




Why not? Attacker will have no abillity to inject SQL request through URL, how can it be possible to execute SQL requests?
– Ivan
Jan 13 at 13:53




1




1




I don't think the code is working correctly. It is trivial to create a POST request to your server and setting "login" parameter to the value: " not a valid user' OR '1' = '1 " You MUST do either input sanitation or do a parameterized query.
– JanErikGunnar
Jan 13 at 17:03




I don't think the code is working correctly. It is trivial to create a POST request to your server and setting "login" parameter to the value: " not a valid user' OR '1' = '1 " You MUST do either input sanitation or do a parameterized query.
– JanErikGunnar
Jan 13 at 17:03












Reading the query again, I realize that you were already aware of the vulnerability, I got confused because in my mind "working correctly" and "allows SQL injection attack" are mutually exclusive :) Though even disregarding security, it will fail if the user happens to have a username containing a single quote and some other characters. As mentioned, uou MUST do either input sanitation or do a parameterized query.
– JanErikGunnar
Jan 13 at 17:10





Reading the query again, I realize that you were already aware of the vulnerability, I got confused because in my mind "working correctly" and "allows SQL injection attack" are mutually exclusive :) Though even disregarding security, it will fail if the user happens to have a username containing a single quote and some other characters. As mentioned, uou MUST do either input sanitation or do a parameterized query.
– JanErikGunnar
Jan 13 at 17:10













No problem:) Can you provide a simple example based on my code so I could realize how secure SQL request should look like..?
– Ivan
Jan 13 at 17:22




No problem:) Can you provide a simple example based on my code so I could realize how secure SQL request should look like..?
– Ivan
Jan 13 at 17:22















active

oldest

votes











Your Answer




StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["\$", "\$"]]);
);
);
, "mathjax-editing");

StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "196"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);








 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f185030%2fprotection-from-sql-injection%23new-answer', 'question_page');

);

Post as a guest






















active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes










 

draft saved


draft discarded


























 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f185030%2fprotection-from-sql-injection%23new-answer', 'question_page');

);

Post as a guest
































































-

Popular posts from this blog

Chat program with C++ and SFML

Image
Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote 2 down vote favorite This is my client code: (My server is very similar at the moment but I will upload it below this one just in case somebody wants to run it) #include <SFML/Graphics.hpp> #include <SFML/Network.hpp> #include <thread> int main() sf::RenderWindow main_win(sf::VideoMode(800, 800), "Chatcy!"); main_win.setPosition(sf::Vector2i(sf::VideoMode::getDesktopMode().width/2 -400, sf::VideoMode::getDesktopMode().height/2 -400)); main_win.setVerticalSyncEnabled(true); //chatcy logo sf::Texture chatcy; chatcy.loadFromFile("image_chatcy.png"); sf::Sprite logo; logo.setTexture(chatcy); //200x800 //font sf::Font font; font.loadFromFile("FreeSerif.ttf"); //name sf::String name("Client"); name += ": "; //text input area and background sf::RectangleShape in_backg
Read more

Function to Return a JSON Like Objects Using VBA Collections and Arrays

Image
Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote 1 down vote favorite My goal is to create a compact function that can create a JSON Like object from JSON string. I want a function with a small footprint that I or anyone who wants to use it, can simply paste into a module and use. At 61 lines of code, I am happy with its size and portability. Here is an image of JSON Object created from string data using a ScriptControl . Although the Locals Window displays the properties and values correctly, the object itself is extremely difficult to work with. This image shows an object created using getJSONCollection . Because it is made of VBA Collections and Arrays, it is very easy to work with. Option Explicit Private Function getJSONCollection(ByVal Value As Variant, Optional ScriptEngine As Object) As Variant Const DELIMITER As String = "||" Dim col As Collection, JSON As Object, KeyNam
Read more

Will my employers contract hold up in court?

Image
Clash Royale CLAN TAG #URR8PPP up vote 8 down vote favorite 2 When I started a new job back in July of 2017, I signed a contract that had the following bindings or restrictions if I was ever to leave the company: Cannot work for a competitor within 25 miles of current companies location for the next two years Cannot offer my services to any organization within 25 miles of current companies location for the next two years Now, when mentioned “my services” this can be related to my profession of website design. This contract seems incredibly binding, 2 years in length, and I’m looking to see if it would actually hold up in an Arizona court. contract employment non-compete arizona share | improve this question edited Aug 7 at 15:35 feetwet ♦ 13.8k 9 37 85 asked Aug 6 at 19:05 Alex S. 46 2 What does your company do and what services do they provide? What is your role (i.e. internal work or work for customers).
Read more