Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import sqlite3
- scary_data_from_user = "person"
- create_sql="CREATE TABLE IF NOT EXISTS person ( name VARCHAR , age INTEGER );"
- db = "sample.db"
- ins_sql_works="INSERT INTO person (name, age) VALUES (?, ?);"
- ins_sql_notworks="INSERT INTO ? (name, age) VALUES (?, ?);"
- conn = sqlite3.connect(db)
- cur = conn.cursor()
- cur.execute(create_sql)
- cur.execute(ins_sql_works,("omer",9999))
- #WORKS without problem
- if len(cur.execute("select sql from sqlite_master where type = 'table' and name = ?;", (scary_data_from_user,)).fetchall()) < 1:
- raise RuntimeError("The user is trying to hack me! HELP! HELP!")
- else:
- # Note that there is no way for the query in the if statement to return any rows if the
- # scary_data_from_user contains something malicious. This is perfectly safe to do here,
- # given the if statement up above.
- cur.execute(f"INSERT INTO {scary_data_from_user} (name, age) VALUES (?, ?);", ("omer", 9999))
- conn.commit()
- conn.close()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement