How to Remove Quotes in Python SQLite
Through the "SQLite" module, users of Python can connect to databases, send database queries, and collect results from those queries. This offers programmers a powerful way to integrate database calls into their Python scripts. However, reading raw data from users in Python can present a security hole. Attackers can insert quotation marks in strategic places in order to inject SQL commands into the database and perform undesired commands. By using the parameter substitution method of sqlite3's "execute" method, the sqlite3 module will strip unsafe quotation and make the input safe for use.
Other People Are Reading
Instructions
-
-
1
Import sqlite3 into your script as follows:
#!/usr/bin/python
import sqlite3
-
2
Connect to a database file with the "connect" method:
conn = sqlite3.connect('/home/db/data')
-
-
3
Create a string with some unsafe quotes in it:
input = 'this "quote" needs cleaned'
-
4
Execute a query on the database using "execute" and parameter substitution:
curs = conn.cursor()
curs.execute('select * from row where symbol=?', input)
-
1
