It is a best practice to avoid binding data using Python’s formatting function due to the risk of SQL injection.

It is a best practice to avoid binding data using Python’s formatting function due to the risk of SQL injection.
A . TRUE
B. FALSE

View Answer

Answer: A

Explanation

Avoid SQL Injection Attacks

Avoid binding data using Python’s formatting function because you risk SQL injection. For example:

# Binding data (UNSAFE EXAMPLE)

con.cursor().execute(

"INSERT INTO testtable(col1, col2)"

"VALUES(%(col1)d, ‘%(col2)s’)" % {

‘col1’: 789,

‘col2’: ‘test string3’

})

# Binding data (UNSAFE EXAMPLE)

con.cursor().execute(

"INSERT INTO testtable(col1, col2) "

"VALUES(%d, ‘%s’)" % (

789,

‘test string3’

))

# Binding data (UNSAFE EXAMPLE)

con.cursor().execute(

"INSERT INTO testtable(col1, col2) "

"VALUES({col1}, ‘{col2}’)".format(

col1=789,

col2=’test string3′)

)

Instead, store the values in variables, check those values (for example, by looking for suspicious semicolons inside strings), and then bind the parameters using qmark or numeric binding style.