To avoid injections, use `execute` with `%s` in place of each variable, then pass the value via a list or tuple as the second parameter of `execute`. Here is an [example from the documentation][1]:

    c=db.cursor()
    max_price=5
    c.execute(&quot;&quot;&quot;SELECT spam, eggs, sausage FROM breakfast
              WHERE price &lt; %s&quot;&quot;&quot;, (max_price,))

Note that this is using a **comma**, not **%** (which would be a direct string substitution, not escaped). **Don&#39;t do this**:

    c.execute(&quot;&quot;&quot;SELECT spam, eggs, sausage FROM breakfast
              WHERE price &lt; %s&quot;&quot;&quot; % (max_price,))

In addition, you must not use single quotes around the position holder (`&#39;%s&#39;`) if the parameter is a string as the driver provides these.

  [1]: http://mysql-python.sourceforge.net/MySQLdb.html#some-examples

As an expansion of Bruno&#39;s answer, your MySQL client library may support any of several different formats for specifying named parameters. From [PEP 249 (DB-API)](http://www.python.org/dev/peps/pep-0249/), you could write your queries like:


### &#39;qmark&#39;
    
    &gt;&gt;&gt; cursor.execute(&quot;SELECT spam FROM eggs WHERE lumberjack = ?&quot;, (lumberjack,))

### &#39;numeric&#39;

    &gt;&gt;&gt; cursor.execute(&quot;SELECT spam FROM eggs WHERE lumberjack = :1&quot;, (lumberjack,))

### &#39;named&#39;

    &gt;&gt;&gt; cursor.execute(&quot;SELECT spam FROM eggs WHERE lumberjack = :jack&quot;, {&#39;jack&#39;: lumberjack})

### &#39;format&#39;

    &gt;&gt;&gt; cursor.execute(&quot;SELECT spam FROM eggs WHERE lumberjack = %s&quot;, (lumberjack,))

### &#39;pyformat&#39;

    &gt;&gt;&gt; cursor.execute(&quot;SELECT spam FROM eggs WHERE lumberjack = %(jack)s&quot;, {&#39;jack&#39;: lumberjack})

You can see which your client library supports by looking at the `paramstyle` module-level variable:

    &gt;&gt;&gt; clientlibrary.paramstyle
    &#39;pyformat&#39;

Any of the above options should Do The Right Thing with regards to handling your possibly insecure data. As Bruno pointed out, please don&#39;t ever try to insert parameters yourself. The commonly-used client libraries are much better at processing data correctly than we mere mortals will ever be.

I am getting Arabic text from server successfully. Retrieved text I want display in code but its showing boxes instead of Arabic text. Assume that `t` array values are Arabic text from server.

    string[] t={&quot; &quot;};
    Textview tv = (Textview) findviewByid(R.id.text);
    tv.setText(t[0]);

How to support Arabic text in Android?

After playing around with AMD/RequireJS I was wondering if it is a good idea to load UI modules including templates and CSS so they are completely independent from the web page.

It sounds like good, but I haven&#39;t seen this implemented in the wild so there may be pitfalls.

Think of some UI module with the following structure:

    myWidget
        |--img 
        |--main.js
        |--styles.css
        +--template.tpl

All stuff in one folder. Looks very nice.

The module in main.js would look something like this:

&lt;!-- language: lang-js --&gt;

    define([&quot;TemplateEngine&quot;, &quot;text!myWidget/template.tpl&quot;], function(TemplateEngine, template) {

        // Load CSS (Pseudo Code)
        var cssUrl = &quot;myWidget/styles.css&quot;;
        appendToHead(cssUrl);

        return function() {
            return {
                render: function(data) {
                      return TemplateEngine.toHtml(template, data);
                } 
            }
        }
    });


Questions are now:

1. Am I missing something?
1. Are there any plugins/concepts how to achieve this in a &quot;standard&quot; way?
1. Is the RequireJS optimizer able to handle the CSS part here, say concat/minify the stylesheets like it does with the JS parts?
1. Any opinions on that? Good or bad?

RequireJS: Loading modules including templates and CSS

What is the safest way to run queries on MySQL? I am aware of the dangers involved with MySQL and SQL injection.

However, I do not know how I should run my queries to prevent injection on the variables to which other users (webclients) can manipulate. I used to write my own escape function, but apparently this is &quot;not-done&quot;.

What should I use and how should I use it to query and do inserts safely on a MySQL database through python without risking MySQL injection?

Python: best practice and securest way to connect to MySQL and execute queries

What is the safest way to run queries on MySQL? I am aware of the dangers involved with MySQL and SQL injection.
However, I do not know how I should run my queries to prevent injection on the variables to which other users (webclients) can manipulate. I used to write my own escape function, but apparently this is "not-done".
What should I use and how should I use it to query and do inserts safely on a MySQL database through python without risking MySQL injection?

I am pretty new to python&#39;s urllib.  What I need to do is set a custom header for the request being sent to the server.  Specifically, I need to set the Content-type and Authorizations headers.  I have looked into the python documentation, but I haven&#39;t been able to find it.

How do I set headers using python&#39;s urllib?

I&#39;m working on a **multi-tenanted** application in which some users can define their own data fields (via the admin) to collect additional data in forms and report on the data.  The latter bit makes JSONField not a great option, so instead I have the following solution:

    class CustomDataField(models.Model):
        &quot;&quot;&quot;
        Abstract specification for arbitrary data fields.
        Not used for holding data itself, but metadata about the fields.
        &quot;&quot;&quot;
        site = models.ForeignKey(Site, default=settings.SITE_ID)
        name = models.CharField(max_length=64)
    
        class Meta:
            abstract = True

    class CustomDataValue(models.Model):
        &quot;&quot;&quot;
        Abstract specification for arbitrary data.
        &quot;&quot;&quot;
        value = models.CharField(max_length=1024)

        class Meta:
            abstract = True

Note how CustomDataField has a ForeignKey to Site - each Site will have a different set of custom data fields, but use the same database.
Then the various concrete data fields can be defined as:

    class UserCustomDataField(CustomDataField):
        pass

    class UserCustomDataValue(CustomDataValue):
        custom_field = models.ForeignKey(UserCustomDataField)
        user = models.ForeignKey(User, related_name=&#39;custom_data&#39;)

        class Meta:
            unique_together=((&#39;user&#39;,&#39;custom_field&#39;),)

This leads to the following use:

    custom_field = UserCustomDataField.objects.create(name=&#39;zodiac&#39;, site=my_site) #probably created in the admin
    user = User.objects.create(username=&#39;foo&#39;)
    user_sign = UserCustomDataValue(custom_field=custom_field, user=user, data=&#39;Libra&#39;)
    user.custom_data.add(user_sign) #actually, what does this even do?


But this feels very clunky, particularly with the need to manually create the related data and associate it with the concrete model.  Is there a better approach?  

Options that have been pre-emptively discarded:

 - Custom SQL to modify tables on-the-fly.  Partly because this won&#39;t scale and partly because it&#39;s too much of a hack.
 - Schema-less solutions like NoSQL.  I have nothing against them, but they&#39;re still not a good fit.  Ultimately this data **is** typed, and the possibility exists of using a third-party reporting application.
 - JSONField, as listed above, as it&#39;s not going to work well with queries.

Django dynamic model fields

Suppose I have the following python code:

    def outer():
        string = &quot;&quot;
        def inner():
            string = &quot;String was changed by a nested function!&quot;
        inner()
        return string

I want a call to outer() to return &quot;String was changed by a nested function!&quot;, but I get &quot;&quot;. I conclude that Python thinks that the line `string = &quot;string was changed by a nested function!&quot;` is a declaration of a new variable local to inner(). My question is: how do I tell Python that it should use the outer() string? I can&#39;t use the `global` keyword, because the string isn&#39;t global, it just lives in an outer scope. Ideas?



Python overwriting variables in nested functions

I have a str object for example: `menu = &#39;install&#39;`. I want to run install method from this string. For example when I call `menu(some, arguments)` it will call `install(some, arguments)`. Is there any way to do that ?

Python: call a function from string name

I know in php I could just use `$_GET[&#39;key1&#39;][&#39;key2&#39;]` to retrieve GET data that is sent in the form of an array but is that something possible in Python as I just receive a string and it&#39;s not recognized as an array/list.

I use flask/werkzeug if that matters.

Getting the array as GET query parameters in Python

I&#39;m running a server at my office to process some files and report the results to a remote MySQL server.

The files processing takes some time and the process dies halfway through with the following error: 

    2006, MySQL server has gone away

I&#39;ve heard about the MySQL setting, **wait_timeout**, but do I need to change that on the server at my office or the remote MySQL server?


MySQL error 2006: mysql server has gone away

To compare databases of different vendors (Oracle, SQL Server, DB2, MySQL, and PostgreSQL) how can I identify any object uniquely and do I need a catalog? For instance, In Java&#39;s DatabaseMetadata I should specify catalog and schema fooPattern at least. 

Is it true that catalog is just an abstraction of data storage?

Relationship between catalog, schema, user, and database instance

For homebrew mysql installs, where&#39;s my.cnf? Does it install one?

For homebrew mysql installs, where&#39;s my.cnf?

I&#39;m designing a little web-app/game. What would be better: MySQL tables or json files? They both store information. They can both be parsed by PHP. What are the advantages/disadvantages?

This is what I mean:

    username | password
    -------------------
    seefour  | abc123

vs.

    {
      &quot;username&quot;:&quot;seefour&quot;,
      &quot;password&quot;:&quot;abc123&quot;
    }

---

EDIT: Wow, It&#39;s been just 3 years since I asked this question and it&#39;s surprising to see how much I&#39;ve matured since when I asked this question. From a future me to the past me, this is why the two don&#39;t work. (In case anybody naive like me at the time can refer to this)

I used to think the two were interchangeable because they were both pretty much ways of storing information, although storing and using JSON files was easier to me at the time. Databases are separate pieces of software that make retrieving data much faster and don&#39;t end up being bloated over time. Also, carrying all the data in one or two files makes it dangerously easy to end up getting your data stolen or lost, where as a database is much more secure with those. Fundamentally, data shouldn&#39;t be part of your code; it should be a separate thing that your code works with.

Also, you&#39;ll learn about hashing and salting a couple of years down the line, so don&#39;t store passwords in plain text!

MySQL vs. JSON - Why?

I&#39;ve read on some blogs and in some articles related to optimization, how to optimize queries. I read I need to use indexes and make sure all my primary key and foreign keys are set correctly using a good relational database schema.

Now I have a query I need to optimize and I get this on the `EXPLAIN`:

    Using where; Using temporary; Using filesort

I am using MySQL 5.5

I know I am using `WHERE` but not with my temporary table nor filesort? What does this mean? 



MySQL explain Query understanding

How do [prepared statements][1] help us prevent [SQL injection][2] attacks?

Wikipedia says:

&gt; Prepared statements are resilient against SQL injection, because
&gt; parameter values, which are transmitted later using a different
&gt; protocol, need not be correctly escaped. If the original statement
&gt; template is not derived from external input, SQL injection cannot
&gt; occur.

I cannot see the reason very well. What would be a simple explanation in an easy English and some examples?

  [1]: http://en.wikipedia.org/wiki/Prepared_statement
  [2]: http://en.wikipedia.org/wiki/SQL_injection



How can prepared statements protect from SQL injection attacks?

I have the following code, using pscyopg2:

    sql = &#39;select %s from %s where utctime &gt; %s and utctime &lt; %s order by utctime asc;&#39;
    data = (dataItems, voyage, dateRangeLower, dateRangeUpper)
    rows = cur.mogrify(sql, data)

This outputs:

    select &#39;waterTemp, airTemp, utctime&#39; from &#39;ss2012_t02&#39; where utctime &gt; &#39;2012-05-03T17:01:35+00:00&#39;::timestamptz and utctime &lt; &#39;2012-05-01T17:01:35+00:00&#39;::timestamptz order by utctime asc;


When I execute this, it falls over - this is understandable, as the quotes around the table name are illegal.

Is there a way to legally pass the table name as a parameter, or do I need to do a (explicitly warned against) string concatenation, ie:

    voyage = &#39;ss2012_t02&#39;
    sql = &#39;select %s from &#39; + voyage + &#39; where utctime &gt; %s and utctime &lt; %s order by utctime asc;&#39;

Cheers for any insights.

Passing table name as a parameter in psycopg2

I have to program an application management system for my OJT company. The front end will be done in C# and the back end in SQL.

Now I have never done a project of this scope before; in school we had only basic lessons about SQL. Somehow our teacher completely failed to discuss SQL injections, something which I have only now come in contact with by reading about it on the net.

So anyway my question is: how do you prevent SQL injections in C#? I vaguely think that it can be done by properly masking the text fields of the application so that it only accepts input in a specified format. For example: an e-mail textbox should be of the format &quot;example@examplecompany.tld&quot;. Would this approach be sufficient? Or does .NET have pre-defined methods that handle stuff like this? Can I apply a filter to a textbox so it only accepts email-address format or a name textbox so it doesn&#39;t accept special chars?

What are good ways to prevent SQL injection?

To start this off, I am well aware that parameterized queries are the best option, but I am asking what makes the strategy I present below vulnerable. People insist the below solution doesn&#39;t work, so I am look for an example of why it wouldn&#39;t.

If dynamic SQL is built in code using the following escaping before being sent to a SQL Server, what kind of injection can defeat this?

    string userInput= &quot;N&#39;&quot; + userInput.Replace(&quot;&#39;&quot;, &quot;&#39;&#39;&quot;) + &quot;&#39;&quot;

A similar question was answered [here][1], but I don&#39;t believe any of the answers are applicable here.

Escaping the single quote with a &quot;\&quot; isn&#39;t possible in SQL Server.

I believe **SQL Smuggling** with Unicode (outlined [here][2]) would be thwarted by the fact that the string being produced is marked as Unicode by the N preceding the single quote. As far as I know, there are no other character sets that SQL Server would automatically translate to a single quote. Without an unescaped single quote, I don&#39;t believe injection is possible.

I don&#39;t believe **String Truncation** is a viable vector either. SQL Server certainly won&#39;t be doing the truncating since the max size for an `nvarchar` is 2GB [according to microsoft][3]. A 2 GB string is unfeasible in most situations, and impossible in mine.

**Second Order Injection** could be possible, but is it possible if:

1. All data going into the database is sanitized using the above method
2. Values from the database are never appended into dynamic SQL (why would you ever do that anyways, when you can just reference the table value in the static part of any dynamic SQL string?).

I&#39;m not suggesting that this is better than or an alternative to using parameterized queries, but I want to know how what I outlined is vulnerable. Any ideas?

  [1]: https://stackoverflow.com/questions/139199/can-i-protect-against-sql-injection-by-escaping-single-quote-and-surrounding-use
  [2]: https://www.owasp.org/images/d/d4/OWASP_IL_2007_SQL_Smuggling.pdf
  [3]: http://msdn.microsoft.com/en-us/library/ms186939.aspx

How can sanitation that escapes single quotes be defeated by SQL injection in SQL Server?

Is it possible to prevent SQL injections in Node.js (preferably with a module) in the same way that PHP had Prepared Statements that protected against them.

If so, how? If not, **what are some examples** that might bypass the code I&#39;ve provided (see below).

----------------
Some Context:

I&#39;m making a web application with a back-end stack consisting of Node.js + MySql using the [node-mysql][1] module. From a usability perspective, the module is great, but it has not yet implemented something akin to PHP&#39;s [Prepared Statements][2] (though I&#39;m aware it is on the [todo][3]).

From my understanding, PHP&#39;s implementation of prepared statements, among other things, [helped greatly][4] in the prevention of SQL injections. I&#39;m worried, though, that my node.js app may be open to similar attacks, [even with the string escaping provided by default][5] (as in the code snippet below).

node-mysql seems to be the most popular mysql connector for node.js, so I was wondering what other people might be doing (if anything) to account for this issue - or if it is even an issue with node.js to begin with (not sure how this wouldn&#39;t be, since user/client-side input is involved).

**Should I switch to [node-mysql-native][6] for the time being, since it does provide prepared statements?** I&#39;m hesitant to do this, because it does not seem to be as active as node-mysql (though that may just mean that it is complete).

Here is a snippet of user registration code, which uses the [sanitizer][7] module, along with node-mysql&#39;s prepared statement-like syntax (which, as I mentioned above, does character escaping), to prevent cross site scripting and sql injections, respectively:

    // Prevent xss
    var clean_user = sanitizer.sanitize(username);

    // assume password is hashed already
    var post = {Username: clean_user, Password: hash};
           
    // This just uses connection.escape() underneath
    var query = connection.query(&#39;INSERT INTO users SET ?&#39;, post,
       function(err, results)
       {
           // Can a Sql injection happen here?
       });


  [1]: https://github.com/felixge/node-mysql
  [2]: http://php.net/manual/en/pdo.prepared-statements.php
  [3]: https://github.com/felixge/node-mysql#todo
  [4]: https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string/12118602#12118602
  [5]: https://github.com/felixge/node-mysql#escaping-query-values
  [6]: https://github.com/sidorares/nodejs-mysql-native
  [7]: https://github.com/theSmaw/Caja-HTML-Sanitizer

Content Type	Original Author	Original Content on Stackoverflow
Question	Lucas Kauffman	View Question on Stackoverflow
Solution 1 - Python	Bruno	View Answer on Stackoverflow
Solution 2 - Python	Kirk Strauser	View Answer on Stackoverflow

Python: best practice and securest way to connect to MySQL and execute queries

Python Problem Overview

Python Solutions

Solution 1 - Python

Solution 2 - Python

'qmark'

'numeric'

'named'

'format'

'pyformat'

RequireJS: Loading modules including templates and CSS

How to support Arabic text in Android?

Attributions