SQL – Parameterized Queries

Slides:

Advertisements

Similar presentations

Μαθαίνοντας Python [Κ4] ‘Guess the Number’

Advertisements

Structured Query Language SQL: An Introduction. SQL (Pronounced S.Q.L) The standard user and application program interface to a relational database is.

SQLite 1 CS440. What is SQLite?  Open Source Database embedded in Android  SQL syntax  Requires small memory at runtime (250 Kbytes)  Lightweight.

Phonegap Bridge – File System CIS 136 Building Mobile Apps 1.

MySql In Action Step by step method to create your own database.

Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.

Databases with PHP A quick introduction. Y’all know SQL and Databases  You put data in  You get data out  You can do processing on it very easily 

Functions Lesson 10. Skills Matrix Function A function is a piece of code or routine that accepts parameters and stored as an object in SQL Server. The.

Python MySQL Database Access

Rensselaer Polytechnic Institute CSCI-4380 – Database Systems David Goldschmidt, Ph.D.

Introduction to MySQL Lab no. 10 Advance Database Management System.

By: Matt Batalon, MCITP  Another form of temporary storage that can be queried or joined against, much like a table variable, temp.

9 Persistence - SQLite CSNB544 Mobile Application Development Thanks to Utexas Austin.

Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.

Accessing Your MySQL Database from the Web with PHP (Ch 11) 1.

SCUHolliday - coen 1788–1 Schedule Today u Modifications, Schemas, Views. u Read Sections (except and 6.6.6) Next u Constraints. u Read.

SQL Injection Jason Dunn. SQL Overview Structured Query Language For use with Databases Purpose is to retrieve information Main Statements Select Insert.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

BIS Database Systems School of Management, Business Information Systems, Assumption University A.Thanop Somprasong Chapter # 8 Advanced SQL.

Variables When programming it is often necessary to store a value for use later on in the program. A variable is a label given to a location in memory.

MySQL More… 1. More on SQL In MySQL, the Information Schema is the “Catalog” in the SQL standard SQL has three components: Data definition Data manipulation.

JPA / HIBERNATE CSCI 6370 Nilayan Bhattacharya Sanket Sable.

Security Considerations Steve Perry

Course FAQ’s I do not have any knowledge on SQL concepts or Database Testing. Will this course helps me to get through all the concepts? What kind of.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.

* Database is a group of related objects * Objects can be Tables, Forms, Queries or Reports * All data reside in Tables * A Row in a Table is a record.

Secure Authentication. SQL Injection Many web developers are unaware of how SQL queries can be tampered with SQL queries are able to circumvent access.

IS2803 Developing Multimedia Applications for Business (Part 2) Lecture 6: Accessing a database with PHP Rob Gleasure robgleasure.com.

SQL Query Analyzer. Graphical tool that allows you to:  Create queries and other SQL scripts and execute them against SQL Server databases. (Query window)

Database Overview What is a database? What types of databases are there? How are databases more powerful than spreadsheets?

Creating E/R Diagrams with SQL Server Management Studio, Writing SQL Queries D0ncho Minkov Telerik School Academy schoolacademy.telerik.com Technical Trainer.

Notes: **A Row is considered one Record. **A Column is a Field. A Database is…  an organized set of stored information usually on one topic  a collection.

Module of the week Webform 7.x-4.0-alpha9 – admin/config/content/webform Add content types, choose allowed fields, default values and advanced options.

Introduction to Database Programming with Python Gary Stewart

Introduction to pysqlite

Web Systems & Technologies

SQL Injection Attacks.

Creating Database Objects

Cosc 5/4730 Sqlite primer.

SQL – Python and Databases

Adapters and Converters

CS320 Web and Internet Programming SQL and MySQL

Tables and Triggers.

Aggregate Functions and Collations

Python – Dates and Times

Android Application SQLite 1.

Unix System Administration

Database Systems: Design, Implementation, and Management Tenth Edition

Unit 16 – Database Systems

SQL – Data types.

SQL INJECTION ATTACKS.

Case Statements and Functions

SQL – Dates and Times.

sqlite3 — DB-API 2.0 interface for SQLite databases

SQL – Application Persistence Design Patterns

DATABASE SQL= Structure Query Language مبادئ قواعد بيانات

SQL – Python and Databases (Continued)

CIS 136 Building Mobile Apps

Developing a Model-View-Controller Component for Joomla Part 3

CREATE, INSERT, SELECT.

Python Lessons 9 & 10 Mr. Husch.

Database Systems: Design, Implementation, and Management Tenth Edition

MySQL Database System Installation Overview SQL summary

Data Types and Maths Programming Guides.

Mobile Programming Dr. Mohsin Ali Memon.

SQL – Application Persistence Design Patterns

Creating Database Objects

Triggers 7/11/2019 See scm-intranet.

Presentation transcript:

SQL – Parameterized Queries

The execute method revisited conn = sqlite3.connect(":memory:") conn.execute("CREATE TABLE students (name TEXT, age INTEGER);") conn.execute("INSERT INTO students VALUES ('Josh', 27);") What if we wanted to add a python integer? dog_age = 7 conn.execute( "INSERT INTO students VALUES ('Zoe', " + str(dog_age) + ");" )

Parameterized Queries Used to pass python objects into queries without needing to manually convert to strings. dog_age = 7 conn.execute("INSERT INTO students VALUES ('Zoe', ?);", (dog_age,)) row = ('Tim', 45) conn.execute("INSERT INTO students VALUES (?, ?);", row)

https://xkcd.com/327/

Explanation The problem is if we wrote code like this: name = "Robert'); DROP TABLE students; --" conn.execute("INSERT INTO students VALUES ('" + name + "');") # INSERT INTO students VALUES ('Robert'); # DROP TABLE students; --'); The input would be allowed to execute arbitrary queries against the database.

Protection by parameterized query Parameterized queries will automatically escape the input and ensure that the value passed in is store as that value. name = "Robert'); DROP TABLE students; --" conn.execute("INSERT INTO students VALUES (?);", (name,)) The string name will be stored, in its entirety, and the single quote will be escaped to stop it from harming the database.

Python and Sqlite datetime revisisted Python's sqlite3 module actually has build-in support for the automatic conversion of python datetime objects: datetime.date objects are of type DATE datetime.datetime objects are of type TIMESTAMP You need to tell sqlite that you will be using custom types instead of the usual 4 (INTEGER, REAL, TEXT, BLOB) by passing an additional arguments to "connect".