How to Prevent SQL Injection in Python Web Applications

SQL injection remains the top web vulnerability, especially when using relational databases in backend development. This article explains how SQL injection can occur in Python web applications and demonstrates it with a simple class that builds SQL statements via string concatenation.

Cause

The most common cause is direct string concatenation of user input into SQL queries. Even using placeholders like %s without proper parameter binding does not prevent injection.

Vulnerable Example

A method constructs a SELECT query by concatenating the user‑controlled testUrl value, allowing an attacker to append a single quote and trigger a syntax error, confirming the injection point.

Running the script yields an error such as:

(1064, "You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''t.tips''' at line 1")

Solution

Two approaches are recommended:

Escape or encode user input before inclusion in SQL.

Use the parameterized query support provided by Python’s MySQLdb module (or similar libraries).

By modifying the class to use parameterized execution, the SQL statement and its parameters are passed separately, and the driver safely escapes the values.

Example:

preUpdateSql = "UPDATE `article` SET title=%s, date=%s, mainbody=%s WHERE id=%s"
mysql.insert(preUpdateSql, [title, date, content, aid])

This prevents injection because the driver handles escaping of the supplied list of values.