I have some code in Python that sets a char(80) value in an sqlite

Question

0

Asked: June 5, 20262026-06-05T07:34:34+00:00 2026-06-05T07:34:34+00:00

I have some code in Python that sets a char(80) value in an sqlite

0

I have some code in Python that sets a char(80) value in an sqlite DB.

The string is obtained directly from the user through a text input field and sent back to the server with a POST method in a JSON structure.

On the server side I currently pass the string to a method calling the SQL UPDATE operation.

It works, but I’m aware it is not safe at all.

I expect that the client side is unsafe anyway, so any protection is to be put on the server side. What can I do to secure the UPDATE operation agains SQL injection ?

A function that would “quote” the text so that it can’t confuse the SQL parser is what I’m looking for. I expect such function exist but couldn’t find it.

Edit:
Here is my current code setting the char field name label:

def setLabel( self, userId, refId, label ):
    self._db.cursor().execute( """
        UPDATE items SET label = ? WHERE userId IS ? AND refId IS ?""", ( label, userId, refId) )
    self._db.commit()

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-05T07:34:35+00:00

Editorial Team

2026-06-05T07:34:35+00:00Added an answer on June 5, 2026 at 7:34 am

From the documentation:

con.execute("insert into person(firstname) values (?)", ("Joe",))

This escapes "Joe", so what you want is

con.execute("insert into person(firstname) values (?)", (firstname_from_client,))

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have some code in Python that sets a char(80) value in an sqlite

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply