Hemant Vishwakarma: How to prevent sql injection for a IN clause using python mysql connector?

Tuesday, 12 April 2022

How to prevent sql injection for a IN clause using python mysql connector?

Using Python 3.8, mysql-connector-python 8.0.28, I have a query that looks like this

query = """
    SELECT
        id, quotation_number
    FROM quotations
    WHERE
        quotation_number = "%s"
    LIMIT 1;
""" % (
    quotation_number
)
result_in_list_of_dict = query_mysql(query)

where quotation_number (note the singular) is a python string variable

How do i keep the """ format and using % to prevent SQL injection if my query is now using IN clause?

Assume the query is now written as in MySQL format

SELECT id, quotation_number FROM quotations WHERE quotation_number IN (...,...);

And the variable is now quotation_numbers (note the plural s) which is a python list of strings.

Assume the python variable quotation_numbers which is a list of strings can be of arbitrary length, with a minimum of 1 string.

from How to prevent sql injection for a IN clause using python mysql connector?

Hemant Vishwakarma

Tuesday, 12 April 2022

How to prevent sql injection for a IN clause using python mysql connector?

No comments:

Post a Comment