Closed bmenrigh closed 6 years ago
The DB queries / inserts just use simple string concatenation and introduce SQL injection vulnerabilities. For example: cursor.execute("SELECT id FROM forts WHERE NAME LIKE '" + str(arg) + "%';")
cursor.execute("SELECT id FROM forts WHERE NAME LIKE '" + str(arg) + "%';")
You should consider moving to parameterized queries. See https://stackoverflow.com/questions/775296/python-mysql-parameterized-queries for some examples of how to do this.
switched over to parameterized queries.
The DB queries / inserts just use simple string concatenation and introduce SQL injection vulnerabilities. For example:
cursor.execute("SELECT id FROM forts WHERE NAME LIKE '" + str(arg) + "%';")
You should consider moving to parameterized queries. See https://stackoverflow.com/questions/775296/python-mysql-parameterized-queries for some examples of how to do this.