Python SQLite SQL Injection

Critical Risk SQL Injection
sql-injectionpythonsqlitef-strings

What it is

SQL injection vulnerability in Python applications using SQLite where user input is directly concatenated into SQL queries using f-strings without proper parameterization.

import sqlite3

def get_user_by_id(user_id):
    conn = sqlite3.connect('users.db')
    cursor = conn.cursor()

    # VULNERABLE: Direct string concatenation
    query = f"SELECT * FROM users WHERE id = {user_id}"
    cursor.execute(query)

    result = cursor.fetchone()
    conn.close()
    return result

# Malicious input: get_user_by_id("1 OR 1=1 --")
# Results in: SELECT * FROM users WHERE id = 1 OR 1=1 --
import sqlite3

def get_user_by_id(user_id):
    conn = sqlite3.connect('users.db')
    cursor = conn.cursor()

    # SECURE: Using parameterized query
    query = "SELECT * FROM users WHERE id = ?"
    cursor.execute(query, (user_id,))

    result = cursor.fetchone()
    conn.close()
    return result

# Input validation
def get_user_by_id_safe(user_id):
    # Validate input type
    if not isinstance(user_id, int):
        raise ValueError("User ID must be an integer")

    conn = sqlite3.connect('users.db')
    cursor = conn.cursor()

    query = "SELECT * FROM users WHERE id = ?"
    cursor.execute(query, (user_id,))

    result = cursor.fetchone()
    conn.close()
    return result

💡 Why This Fix Works

The vulnerable code directly concatenates user input into the SQL query, allowing attackers to inject malicious SQL. The fixed version uses parameterized queries which separate SQL logic from data.

Why it happens

Using f-strings to embed user input directly into SQL queries is a common cause of SQL injection in Python applications.

Root causes

F-string SQL Injection

Using f-strings to embed user input directly into SQL queries is a common cause of SQL injection in Python applications.

Preview example – PYTHON 
# Vulnerable
query = f"SELECT * FROM users WHERE id = {user_id}"
cursor.execute(query)

String Concatenation with .format()

Using string formatting methods to build SQL queries with user input creates injection vulnerabilities.

Preview example – PYTHON 
# Vulnerable
query = "SELECT * FROM users WHERE name = '{}'".format(username)
cursor.execute(query)

Fixes

1

Use Parameterized Queries with ?

Always use parameterized queries with ? placeholders when working with SQLite in Python applications.

View implementation – PYTHON 
# Secure
query = "SELECT * FROM users WHERE id = ?"
cursor.execute(query, (user_id,))
2

Implement Type Validation

Validate input types and ranges before using them in database queries.

View implementation – PYTHON 
def get_user_by_id_safe(user_id):
    if not isinstance(user_id, int) or user_id <= 0:
        raise ValueError("User ID must be a positive integer")
    # Use parameterized query
    return get_user_by_id(user_id)

Detect This Vulnerability in Your Code

Sourcery automatically identifies python sqlite sql injection and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities