Presentation is loading. Please wait.

Presentation is loading. Please wait.

SQL – Parameterized Queries

Published byJane Greer Modified over 5 years ago

Similar presentations

Presentation on theme: "SQL – Parameterized Queries"— Presentation transcript:

1 SQL – Parameterized Queries

2 The execute method revisited
conn = sqlite3.connect(":memory:") conn.execute("CREATE TABLE students (name TEXT, age INTEGER);") conn.execute("INSERT INTO students VALUES ('Josh', 27);") What if we wanted to add a python integer? dog_age = 7 conn.execute( "INSERT INTO students VALUES ('Zoe', " + str(dog_age) + ");" )

3 Parameterized Queries
Used to pass python objects into queries without needing to manually convert to strings. dog_age = 7 conn.execute("INSERT INTO students VALUES ('Zoe', ?);", (dog_age,)) row = ('Tim', 45) conn.execute("INSERT INTO students VALUES (?, ?);", row)

4

5 Explanation The problem is if we wrote code like this:
name = "Robert'); DROP TABLE students; --" conn.execute("INSERT INTO students VALUES ('" + name + "');") # INSERT INTO students VALUES ('Robert'); # DROP TABLE students; --'); The input would be allowed to execute arbitrary queries against the database.

6 Protection by parameterized query
Parameterized queries will automatically escape the input and ensure that the value passed in is store as that value. name = "Robert'); DROP TABLE students; --" conn.execute("INSERT INTO students VALUES (?);", (name,)) The string name will be stored, in its entirety, and the single quote will be escaped to stop it from harming the database.

7 Python and Sqlite datetime revisisted
Python's sqlite3 module actually has build-in support for the automatic conversion of python datetime objects: datetime.date objects are of type DATE datetime.datetime objects are of type TIMESTAMP You need to tell sqlite that you will be using custom types instead of the usual 4 (INTEGER, REAL, TEXT, BLOB) by passing an additional arguments to "connect".

Download ppt "SQL – Parameterized Queries"

Similar presentations

Μαθαίνοντας Python -- 2. [Κ4] ‘Guess the Number’

Μαθαίνοντας Python [Κ4] ‘Guess the Number’
Structured Query Language SQL: An Introduction. SQL (Pronounced S.Q.L) The standard user and application program interface to a relational database is.

Structured Query Language SQL: An Introduction. SQL (Pronounced S.Q.L) The standard user and application program interface to a relational database is.
SQLite 1 CS440. What is SQLite?  Open Source Database embedded in Android  SQL syntax  Requires small memory at runtime (250 Kbytes)  Lightweight.

SQLite 1 CS440. What is SQLite?  Open Source Database embedded in Android  SQL syntax  Requires small memory at runtime (250 Kbytes)  Lightweight.
Phonegap Bridge – File System CIS 136 Building Mobile Apps 1.

Phonegap Bridge – File System CIS 136 Building Mobile Apps 1.
MySql In Action Step by step method to create your own database.

MySql In Action Step by step method to create your own database.
Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.

Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.
Databases with PHP A quick introduction. Y’all know SQL and Databases  You put data in  You get data out  You can do processing on it very easily 

Databases with PHP A quick introduction. Y’all know SQL and Databases  You put data in  You get data out  You can do processing on it very easily 
Functions Lesson 10. Skills Matrix Function A function is a piece of code or routine that accepts parameters and stored as an object in SQL Server. The.

Functions Lesson 10. Skills Matrix Function A function is a piece of code or routine that accepts parameters and stored as an object in SQL Server. The.
Python MySQL Database Access

Python MySQL Database Access
Rensselaer Polytechnic Institute CSCI-4380 – Database Systems David Goldschmidt, Ph.D.

Rensselaer Polytechnic Institute CSCI-4380 – Database Systems David Goldschmidt, Ph.D.
Introduction to MySQL Lab no. 10 Advance Database Management System.

Introduction to MySQL Lab no. 10 Advance Database Management System.
By: Matt Batalon, MCITP  Another form of temporary storage that can be queried or joined against, much like a table variable, temp.

By: Matt Batalon, MCITP  Another form of temporary storage that can be queried or joined against, much like a table variable, temp.
9 Persistence - SQLite CSNB544 Mobile Application Development Thanks to Utexas Austin.

9 Persistence - SQLite CSNB544 Mobile Application Development Thanks to Utexas Austin.
Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.

Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.
Accessing Your MySQL Database from the Web with PHP (Ch 11) 1.

Accessing Your MySQL Database from the Web with PHP (Ch 11) 1.
SCUHolliday - coen 1788–1 Schedule Today u Modifications, Schemas, Views. u Read Sections 6.5-6.7. (except 6.6.5 and 6.6.6) Next u Constraints. u Read.

SCUHolliday - coen 1788–1 Schedule Today u Modifications, Schemas, Views. u Read Sections (except and 6.6.6) Next u Constraints. u Read.
SQL Injection Jason Dunn. SQL Overview Structured Query Language For use with Databases Purpose is to retrieve information Main Statements Select Insert.

SQL Injection Jason Dunn. SQL Overview Structured Query Language For use with Databases Purpose is to retrieve information Main Statements Select Insert.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
BIS3635 - Database Systems School of Management, Business Information Systems, Assumption University A.Thanop Somprasong Chapter # 8 Advanced SQL.

BIS Database Systems School of Management, Business Information Systems, Assumption University A.Thanop Somprasong Chapter # 8 Advanced SQL.
Variables When programming it is often necessary to store a value for use later on in the program. A variable is a label given to a location in memory.

Variables When programming it is often necessary to store a value for use later on in the program. A variable is a label given to a location in memory.

Similar presentations

Ads by Google