current community

your communities

more stack exchange communities

Stack Exchange
tour help
stack overflow careers
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 2 down vote favorite

First, i'm very new to stack overflow (first question posted) and forums in general. In addition to this downfall, I'm also new to development and databases other than at a Systems Administration type level.

I see several questions about using variables in Python with the MySQLdb module on stackoverflow. Many of them have mention of SQL Injection code like this. The answer with 70 + upvotes gives you an example where % appears to be the deciding character in whether or not your code is susceptible to SQL Injection. My questions are:

  1. Do I understand correctly that the "" % (VAR) instead of "", (VAR) is what makes the difference ?

  2. If that is the case, then is this post also an example or is there something different with using the % to designate a table vs a clause ?

It is noteworthy to mention I've tried learning more about SQL Injection. Not sure if I'm too dense or the material is but i'm just not following. In this article by cisco I tried to follow, I find that there is no mention of a percent but instead they appear to be using ?. So if someone can point me to some "layman's" documentation I would appreciate that!

share|improve this question
    
SQL injection becomes possible as soon as you start integrating user input into your queries. This is one of the most famous illustrations. This reference question, although initially appying to PHP, also provide tons of valuable information on how to prevent this, regardless of the language. –  RandomSeed Aug 3 '13 at 2:49
    
Check this one too. –  RandomSeed Aug 3 '13 at 2:53
    
@RandomSeed thanks for the quick response. I will review your links but I believe that was the missing piece. With all of the reading I did, I failed to realize that it was user input. I've basically worried about the wrong thing since mine isn't based on user input. However, now that I know more about it, i'm very interested. –  NoPathInParticular Aug 3 '13 at 4:09
    
Sufficient time has now passed for you to add your self-answer as an actual answer. Please do so, using the revision history of your question if necessary to retrieve the text. –  Air Apr 10 at 23:17

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Browse other questions tagged or ask your own question.