current community

your communities

more stack exchange communities

Stack Exchange
tour help
careers 2.0
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 2 down vote favorite

First, i'm very new to stack overflow (first question posted) and forums in general. In addition to this downfall, I'm also new to development and databases other than at a Systems Administration type level.

I see several questions about using variables in Python with the MySQLdb module on stackoverflow. Many of them have mention of SQL Injection code like this. The answer with 70 + upvotes gives you an example where % appears to be the deciding character in whether or not your code is susceptible to SQL Injection. My questions are:

  1. Do I understand correctly that the "" % (VAR) instead of "", (VAR) is what makes the difference ?

  2. If that is the case, then is this post also an example or is there something different with using the % to designate a table vs a clause ?

It is noteworthy to mention I've tried learning more about SQL Injection. Not sure if I'm too dense or the material is but i'm just not following. In this article by cisco I tried to follow, I find that there is no mention of a percent but instead they appear to be using ?. So if someone can point me to some "layman's" documentation I would appreciate that!

##EDIT## I tried to answer my own question but I'm too new and my reputation wouldn't allow it. But since RandomSeed answered it for me, the idea of editing my own post is probably the proper thing to do anyway!

BELOW THIS IS THE ANSWER I NEEDED

Only doing this because RandomSeed's comment under my initial post seems to answer it for me.

It doesn't necessarily have anything to do with the % which I initially asked, and most of the answers were already in other posts collectively, had I the perspective to understand the material.

The key to answering my question was that I didn't fully grasp the concept of SQL injection, so here's my layman's statement:

SQL Injection is when user input (usually intentionally) can be used to execute queries on your database. There are basic preventions which will allow you to combat this, such as input sanitation and proper user/permissions assignment (among others).

Since I'm not currently building anything for user input I don't need to worry much about SQL Injection. I'm going to follow up from here and read further into methods for input sanitation, proper user/permission assignment and other common methods of combating this!

share|improve this question
    
SQL injection becomes possible as soon as you start integrating user input into your queries. This is one of the most famous illustrations. This reference question, although initially appying to PHP, also provide tons of valuable information on how to prevent this, regardless of the language. –  RandomSeed Aug 3 '13 at 2:49
    
Check this one too. –  RandomSeed Aug 3 '13 at 2:53
    
@RandomSeed thanks for the quick response. I will review your links but I believe that was the missing piece. With all of the reading I did, I failed to realize that it was user input. I've basically worried about the wrong thing since mine isn't based on user input. However, now that I know more about it, i'm very interested. –  NoPathInParticular Aug 3 '13 at 4:09

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Browse other questions tagged or ask your own question.