== How to fix it in Python SQLite

=== Code examples

The following code is an example of an overly simple data retrieval function.
It is vulnerable to SQL injection because user-controlled data is inserted
directly into a query string: The application assumes that incoming data
always has a specific range of characters and ignores that some characters may
change the query logic to a malicious one.

In this particular case, the query can be exploited with the following string: 

----
' OR '1'='1
----

Using the UNION clause, an attacker would also be able to perform queries against
other tables and combine the returned data within the same query result.

==== Noncompliant code example

[source,python,diff-id=1,diff-type=noncompliant]
----
from flask import request

@app.route('/example')
def get_users():
    user = request.args["user"]
    sql = """SELECT user FROM users WHERE user = \'%s\'"""

    conn = sqlite3.connect('example')
    conn.cursor().execute(sql % (user)) # Noncompliant
----

==== Compliant solution

[source,python,diff-id=1,diff-type=compliant]
----
from flask import request

@app.route('/example')
def get_users():
    user = request.args["user"]
    sql = """SELECT user FROM users WHERE user = (?)"""
    value = (user,)
    
    conn = sqlite3.connect('example')
    conn.cursor().execute(sql, value)
----

=== How does this work?

include::../../common/fix/prepared-statements.adoc[]