mysql - python injection protection for multiple column queries -

mysql - python injection protection for multiple column queries -

how secure sql injection in next code? utilize comma instead of percent sign, because doesn't straight inject string, cant when want select multiple columns database.

this works not safe:

def (columns) % columns string of column names separated commas id = 5 querystr = """select %s dash id=%s limit 1""" q.execute(querystr % (columns, id))

while doesn't work:

def (columns) % columns string of column names separated commas id = 5 querystr = """select %s dash id=%s limit 1""" q.execute(querystr, (columns, id))

i need able alter amount of columns im searching when phone call method.

you can't utilize params argument of execute() add together columns query anyway, because add together single-quotes around argument, forcefulness treated string. you'll end query:

select 'item1, item2, item3' dash id=5 limit 1

you have interpolate columns yourself.

to protect against sql injection, it's responsibility filter list of column names , validate against list of known columns of table. consider whitelisting process.

mysql python-2.7 sql-injection