patternpythonMajor
Inserting robot moves into an SQLite3 database
Viewed 0 times
robotmovesintosqlite3databaseinserting
Problem
I'm just wondering if you would consider this to be safe from SQL injection.
A peculiarity of my program is I need to dynamically access table names depending on my scenario.
This is not for publishing online, but I wish to know if this approach is any good.
I'm using Python3 and SQLite3. My database object contains the table name, and is not controlled by any user. It comes from another class in a config.cfg file.
A peculiarity of my program is I need to dynamically access table names depending on my scenario.
This is not for publishing online, but I wish to know if this approach is any good.
I'm using Python3 and SQLite3. My database object contains the table name, and is not controlled by any user. It comes from another class in a config.cfg file.
def save_record(state_int, database):
query = '''INSERT INTO %s (state_int, turn_left, turn_right, move_forward) VALUES (?,?,?,?)''' %(database.records_table_name)
database.cursor.execute(query, (state_int, 0, 0, 0))
database.robot_memory.commit()
save_record(10012, database)Solution
Just a philosophical answer here.
I think you're asking the wrong question. You shouldn't ask yourself "is my SQL code safe or vulnerable?" This is too hard to answer in any individual case, and coming up with the right answer could depend on a lot of contextual things such as the system configuration, the whole program structure, etc.
You don't want to have to consider all these things when writing code. People have already considered them a lot, and based on their experience they have come up with best practices.
Instead you should ask the question,
Does my code follow the standard best practices for preventing SQL injection?
As alluded to in another answer, using string interpolation to build queries is against best practices. So, while it doesn't seem like this creates a vulnerability in your code, we can't rule out that there is some edge case based on the rest of your program structure that would allow an attacker to put something into this string interpolation.
Unless you have a very good reason for doing so, follow the best practices, even if you don't need to. Then you can sleep well and ignore pathological edge cases.
I think you're asking the wrong question. You shouldn't ask yourself "is my SQL code safe or vulnerable?" This is too hard to answer in any individual case, and coming up with the right answer could depend on a lot of contextual things such as the system configuration, the whole program structure, etc.
You don't want to have to consider all these things when writing code. People have already considered them a lot, and based on their experience they have come up with best practices.
Instead you should ask the question,
Does my code follow the standard best practices for preventing SQL injection?
As alluded to in another answer, using string interpolation to build queries is against best practices. So, while it doesn't seem like this creates a vulnerability in your code, we can't rule out that there is some edge case based on the rest of your program structure that would allow an attacker to put something into this string interpolation.
Unless you have a very good reason for doing so, follow the best practices, even if you don't need to. Then you can sleep well and ignore pathological edge cases.
Context
StackExchange Code Review Q#134504, answer score: 36
Revisions (0)
No revisions yet.