0Pricing
Python Academy · Lesson

Parameterized Queries

Prevent SQL injection.

The Danger of String Building

Building SQL by concatenating strings is risky. If user input contains SQL, it can change your query. This is called SQL injection.

Never do this with untrusted data.

name = 'Alice'
# Unsafe pattern - do NOT do this
query = "SELECT * FROM users WHERE name = '" + name + "'"
print(query)

What Injection Looks Like

Imagine a malicious value. Concatenating it changes the query meaning entirely.

name = "x' OR '1'='1"
query = "SELECT * FROM users WHERE name = '" + name + "'"
print(query)
print('The OR clause makes every row match!')

All lessons in this course

  1. Connecting and Creating Tables
  2. Insert, Select, Update, Delete
  3. Parameterized Queries
  4. Transactions and Context Managers
← Back to Python Academy