Update routes.py#3
Conversation
| if name: | ||
| cursor.execute( | ||
| "SELECT * FROM books WHERE name LIKE '%s", name | ||
| "SELECT * FROM books WHERE name LIKE '%" + name + "%" |
Check failure
Code scanning / CodeQL
SQL query built from user-controlled sources
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI over 1 year ago
To fix the problem, we need to use parameterized queries instead of directly concatenating user input into the SQL query string. Parameterized queries ensure that user input is properly escaped and quoted by the database driver, preventing SQL injection attacks.
- Replace the direct concatenation of user input in the SQL query with parameterized queries.
- Use placeholders (
%s) in the SQL query string and pass the user input as parameters to thecursor.executemethod. - Ensure that the
cursor.executemethod is called with the query string and a tuple of parameters.
| @@ -15,3 +15,3 @@ | ||
| cursor.execute( | ||
| "SELECT * FROM books WHERE name LIKE '%" + name + "%" | ||
| "SELECT * FROM books WHERE name LIKE %s", ('%' + name + '%',) | ||
| ) | ||
| @@ -21,3 +21,3 @@ | ||
| cursor.execute( | ||
| "SELECT * FROM books WHERE author LIKE '%" + author + "%" | ||
| "SELECT * FROM books WHERE author LIKE %s", ('%' + author + '%',) | ||
| ) |
| elif author: | ||
| cursor.execute( | ||
| "SELECT * FROM books WHERE author LIKE '%s", author | ||
| "SELECT * FROM books WHERE author LIKE '%" + author + "%" |
Check failure
Code scanning / CodeQL
SQL query built from user-controlled sources
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI over 1 year ago
To fix the problem, we need to use parameterized queries instead of directly concatenating user input into the SQL query strings. Parameterized queries ensure that user input is properly escaped and treated as data rather than executable code, thus preventing SQL injection attacks.
The best way to fix the problem without changing existing functionality is to modify the cursor.execute calls to use parameterized queries. This involves replacing the string concatenation with placeholders (%s) and passing the user input as parameters to the execute method.
| @@ -15,3 +15,3 @@ | ||
| cursor.execute( | ||
| "SELECT * FROM books WHERE name LIKE '%" + name + "%" | ||
| "SELECT * FROM books WHERE name LIKE %s", ('%' + name + '%',) | ||
| ) | ||
| @@ -21,3 +21,3 @@ | ||
| cursor.execute( | ||
| "SELECT * FROM books WHERE author LIKE '%" + author + "%" | ||
| "SELECT * FROM books WHERE author LIKE %s", ('%' + author + '%',) | ||
| ) |
No description provided.