gh-96250: Improve sqlite3 injection attack example (GH-99270)
(cherry picked from commit 41d4ac9da348ca33056e271d71588b2dc3a6d48d)
Co-authored-by: Jia Junjie <62194633+jiajunjie@users.noreply.github.com>
Co-authored-by: C.A.M. Gerlach <CAM.Gerlach@Gerlach.CAM>
Co-authored-by: Erlend E. Aasland <erlend.aasland@protonmail.com>
diff --git a/Doc/library/sqlite3.rst b/Doc/library/sqlite3.rst
index 9775f80..65fa1b6 100644
--- a/Doc/library/sqlite3.rst
+++ b/Doc/library/sqlite3.rst
@@ -1427,12 +1427,16 @@
SQL operations usually need to use values from Python variables. However,
beware of using Python's string operations to assemble queries, as they
-are vulnerable to `SQL injection attacks`_ (see the `xkcd webcomic
-<https://xkcd.com/327/>`_ for a humorous example of what can go wrong)::
+are vulnerable to `SQL injection attacks`_. For example, an attacker can simply
+close the single quote and inject ``OR TRUE`` to select all rows::
- # Never do this -- insecure!
- symbol = 'RHAT'
- cur.execute("SELECT * FROM stocks WHERE symbol = '%s'" % symbol)
+ >>> # Never do this -- insecure!
+ >>> symbol = input()
+ ' OR TRUE; --
+ >>> sql = "SELECT * FROM stocks WHERE symbol = '%s'" % symbol
+ >>> print(sql)
+ SELECT * FROM stocks WHERE symbol = '' OR TRUE; --'
+ >>> cur.execute(sql)
Instead, use the DB-API's parameter substitution. To insert a variable into a
query string, use a placeholder in the string, and substitute the actual values
