openstack
/
bandit
Code Issues Proposed changes
bandit/examples/sql_statements.py

39 lines
1.2 KiB
Python
Raw Permalink Blame History

import sqlalchemy
# bad
query = "SELECT * FROM foo WHERE id = '%s'" % identifier
query = "INSERT INTO foo VALUES ('a', 'b', '%s')" % value
query = "DELETE FROM foo WHERE id = '%s'" % identifier
query = "UPDATE foo SET value = 'b' WHERE id = '%s'" % identifier
# bad
cur.execute("SELECT * FROM foo WHERE id = '%s'" % identifier)
cur.execute("INSERT INTO foo VALUES ('a', 'b', '%s')" % value)
cur.execute("DELETE FROM foo WHERE id = '%s'" % identifier)
cur.execute("UPDATE foo SET value = 'b' WHERE id = '%s'" % identifier)
# good
cur.execute("SELECT * FROM foo WHERE id = '%s'", identifier)
cur.execute("INSERT INTO foo VALUES ('a', 'b', '%s')", value)
cur.execute("DELETE FROM foo WHERE id = '%s'", identifier)
cur.execute("UPDATE foo SET value = 'b' WHERE id = '%s'", identifier)
# bad
query = "SELECT " + val + " FROM " + val +" WHERE id = " + val
# bad
cur.execute("SELECT " + val + " FROM " + val +" WHERE id = " + val)
# bug: https://bugs.launchpad.net/bandit/+bug/1479625
def a():
def b():
pass
return b
a()("SELECT %s FROM foo" % val)
# real world false positives
choices=[('server_list', _("Select from active instances"))]
print("delete from the cache as the first argument")
View Git Blame Copy Permalink