Security¶
Warning
This project is no longer maintained as of February 2023. It is recommended that you use a proper ORM like SQLAlchemy or Django’s ORM instead.
Protecting against SQL injection¶
SQL injection is when an attacker is able to execute their own SQL statements against the database due to flawed processing of user input. isqlite takes steps to prevent SQL injection attacks, but it does require the programmer to use it correctly.
There are a number of places where Python string interpolation (e.g., f"x = {y}"
, "x = {}".format(y)
, "x = %s" % y
, "x = " + y
, or any other operation that directly inserts a value into a string) MUST NOT be used:
In the
where
argument toDatabase.select
,Database.get
, etc.In the names of tables (usually the first argument to
Database.*
methods).In any other string parameter to a
Database
method, such as thedistinct
parameter toDatabase.count
.
If you need to interpolate values into a where
argument (as you often do), you can do so safely using the companion values
argument:
rows = db.select("books", where="title LIKE :title_pattern", values={"title_pattern": "Lord of the Rings%"})
Table and column names should normally be hard-coded. If you really need to accept untrusted user input for the name of a table or a column, you MUST use an external library to sanitize the input before passing it to isqlite. Note that the quote
function in isqlite DOES NOT make an untrusted string safe to use. It merely ensures that a trusted string is syntatically valid.