It is a best practice to avoid binding data using Python’s formatting function due to the risk of SQL injection.
A . TRUE
B. FALSE
Answer: A
Explanation
Avoid SQL Injection Attacks
Avoid binding data using Python’s formatting function because you risk SQL injection. For example:
# Binding data (UNSAFE EXAMPLE)
con.cursor().execute(
"INSERT INTO testtable(col1, col2)"
"VALUES(%(col1)d, ‘%(col2)s’)" % {
‘col1’: 789,
‘col2’: ‘test string3’
})
# Binding data (UNSAFE EXAMPLE)
con.cursor().execute(
"INSERT INTO testtable(col1, col2) "
"VALUES(%d, ‘%s’)" % (
789,
‘test string3’
))
# Binding data (UNSAFE EXAMPLE)
con.cursor().execute(
"INSERT INTO testtable(col1, col2) "
"VALUES({col1}, ‘{col2}’)".format(
col1=789,
col2=’test string3′)
)
Instead, store the values in variables, check those values (for example, by looking for suspicious semicolons inside strings), and then bind the parameters using qmark or numeric binding style.
Latest DEA-C01 Dumps Valid Version with 100 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund