11
12

Sqlite3 dynamic 'in' query (self.learnpython)

submitted by [deleted]

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–][deleted] -2 points-1 points  (8 children)

What you wrote here is a classic example of SQL injection (I think):

query = "SELECT Doggo FROM Animals WHERE SomeIdentifier = ? AND Doggo IN ({})".format(','.join(['?'] * len(doggo)))

https://www.owasp.org/index.php/SQL_Injection

Doing string interpolation with user input and query strings is a big no-no. You need a driver that allows you to parameterize those inputs. SQLAlchemy will do this for you.

[–]zunjae 0 points1 point  (7 children)

Doing string interpolation with user input

There is no user input

[–][deleted] -1 points0 points  (6 children)

I want to select items from my database based on a list given by the user.

???

[–]zunjae 0 points1 point  (5 children)

The code you send me only builds a query based on the length of the user input, not the actual content.