SQL injection from variable string concatenation in pg8000 SQL statements

Critical Risk sql-injection
pythonpg8000postgresqlsqlinjectiondatabase

What it is

SQL injection vulnerability where SQL strings are built with variables using concatenation, formatting, or f-strings instead of pg8000 parameters, allowing attackers to alter queries, read sensitive data, or destroy tables.

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

Why it happens

Building SQL queries with string concatenation instead of pg8000's parameter binding.

Root causes

String Concatenation in pg8000 Queries

Building SQL queries with string concatenation instead of pg8000's parameter binding.

Not Using pg8000 Parameter Features

Ignoring pg8000's built-in parameter binding capabilities.

Fixes

1

Use Named Parameters with run()

Use pg8000's run() method with named parameters.

View implementation 
conn.run('SELECT * FROM users WHERE id=:id', id=user_id)
2

Use prepare() with Bind Values

Use conn.prepare() with placeholders and bind values for repeated queries.

View implementation 
ps = conn.prepare('SELECT * FROM users WHERE id=$1')
ps.run(user_id)
3

Validate Input Types

Ensure input values match expected types before query execution.

View implementation 
Cast IDs to integers, validate string formats

Detect This Vulnerability in Your Code

Sourcery automatically identifies sql injection from variable string concatenation in pg8000 sql statements and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities