escaping all characters that are meaningful to SQL: sanitize the input

carlosseguraanton · Sep 15, 2017 · ebd94f1 · ebd94f1
1 parent f0a63e9
commit ebd94f1
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/dbhelper.py b/dbhelper.py
@@ -23,9 +23,9 @@ def add_input(self, data):
     try:
       # The following introduces a deliberate security flaw.
       #See section on SQL injection below
-      query = "INSERT INTO crimes (description) VALUES ('{}');".format(data)
+      query = "INSERT INTO crimes (description) VALUES (%s);".format(data)
       with connection.cursor() as cursor:
-        cursor.execute(query)
+        cursor.execute(query,data)
         connection.commit()
     finally:
         connection.close()